1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. User-ID Features
    5. User-ID Syslog Monitoring Enhancements
    End-of-Life (EoL)

    User-ID Syslog Monitoring Enhancements

    The following enhancements improve the accuracy of User-ID mappings and simplify monitoring syslog senders for mapping information:
    • Automatic deletion of user mappings—To improve the accuracy of your user-based policies and reports, you can now use syslog monitoring to detect when users have logged out; the firewall automatically deletes the associated User-ID mappings. Deleting outdated mappings is particularly useful in environments where IP address assignments change often.
    • Multiple syslog formats—In environments where multiple points of authentication send syslog messages in different formats, it is now easier to collect user mappings from the messages because the firewall can ingest multiple syslog formats from the same syslog sender.
    1. Define custom Syslog Parse profiles so that the firewall filters syslog messages for login and logout events.
      Select
      Device
      User Identification
      User Mapping
      , edit the Palo Alto Networks User-ID Agent Setup, select
      Syslog Filters
      , and
      Add
       a Syslog Parse profile.
      Each profile identifies either login events or logout events, but no single profile can identify both:
      • Example of Syslog Parse profile for login events:
      • Example of Syslog Parse profile for logout events:
    2. Define the syslog senders that the firewall will monitor for syslog messages.
      Select
      Device
      User Identification
      User Mapping
       and
      Add
       syslog senders to the Server Monitoring section. For syslog senders that send messages in multiple formats,
      Add
       a Syslog Parse profile for each format. Specify the event type (
      login
       or
      logout
      ) for each profile.
      As a security best practice, select
      SSL
       when using the PAN-OS integrated User-ID agent to collect user mappings.
    3. Enable syslog listener services in the InterfaceManagement profile associated with the firewall interface used for user mapping.
      Select
      User-ID Syslog Listener-SSL
       and/or
      User-ID Syslog Listener-UDP
       based on the connection types you specified for the syslog senders in the previous step.
    4. Commit and verify your changes.
      1. Commit
         your changes.
      2. Log in to a client system for which a monitored syslog sender generates login and logout event messages.
      4. Verify that the firewall mapped the login username to the client IP address:
        > 
        show user ip-user-mapping ip 
        <ip-address>
         
IP address:    192.0.2.1 (vsys1)
User:          localdomain\username
From:          SYSLOG
      5. Log out of the client system.
      6. Verify that the firewall deleted the user mapping:
        > 
        show user ip-user-mapping ip 
        <ip-address>
         
No matched record

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo