The following enhancements improve the accuracy
of User-ID mappings and simplify monitoring syslog senders for mapping
Automatic deletion of user mappings—To
improve the accuracy of your user-based policies and reports, you
can now use syslog monitoring to detect when users have logged out;
the firewall automatically deletes the associated User-ID mappings.
Deleting outdated mappings is particularly useful in environments
where IP address assignments change often.
Multiple syslog formats—In environments where multiple points
of authentication send syslog messages in different formats, it
is now easier to collect user mappings from the messages because
the firewall can ingest multiple syslog formats from the same syslog sender.
Define custom Syslog Parse profiles so that the
firewall filters syslog messages for login and logout events.
edit the Palo Alto Networks User-ID Agent Setup, select
a Syslog Parse
Each profile identifies either login events or logout
events, but no single profile can identify both:
of Syslog Parse profile for login events:
Example of Syslog Parse profile for logout events:
Define the syslog senders that the firewall will monitor
for syslog messages.
senders to the Server Monitoring section. For syslog senders that
send messages in multiple formats,
Syslog Parse profile for each format. Specify the event type (
for each profile.
As a security best
when using the PAN-OS
integrated User-ID agent to collect user mappings.