User-ID Syslog Monitoring Enhancements

The following enhancements improve the accuracy of User-ID mappings and simplify monitoring syslog senders for mapping information:
  • Automatic deletion of user mappings—To improve the accuracy of your user-based policies and reports, you can now use syslog monitoring to detect when users have logged out; the firewall automatically deletes the associated User-ID mappings. Deleting outdated mappings is particularly useful in environments where IP address assignments change often.
  • Multiple syslog formats—In environments where multiple points of authentication send syslog messages in different formats, it is now easier to collect user mappings from the messages because the firewall can ingest multiple syslog formats from the same syslog sender.
  1. Define custom Syslog Parse profiles so that the firewall filters syslog messages for login and logout events.
    Select DeviceUser IdentificationUser Mapping, edit the Palo Alto Networks User-ID Agent Setup, select Syslog Filters, and Add a Syslog Parse profile.
    Each profile identifies either login events or logout events, but no single profile can identify both:
    • Example of Syslog Parse profile for login events:
    • Example of Syslog Parse profile for logout events:
  2. Define the syslog senders that the firewall will monitor for syslog messages.
    Select DeviceUser IdentificationUser Mapping and Add syslog senders to the Server Monitoring section. For syslog senders that send messages in multiple formats, Add a Syslog Parse profile for each format. Specify the event type (login or logout) for each profile.
    As a security best practice, select SSL when using the PAN-OS integrated User-ID agent to collect user mappings.
  3. Enable syslog listener services in the InterfaceManagement profile associated with the firewall interface used for user mapping.
    Select User-ID Syslog Listener-SSL and/or User-ID Syslog Listener-UDP based on the connection types you specified for the syslog senders in the previous step.
  4. Commit and verify your changes.
    1. Commit your changes.
    2. Log in to a client system for which a monitored syslog sender generates login and logout event messages.
    3. Log in to the firewall CLI.
    4. Verify that the firewall mapped the login username to the client IP address:
      > show user ip-user-mapping ip <ip-address> 
      IP address: (vsys1)
      User:          localdomain\username
      From:          SYSLOG
    5. Log out of the client system.
    6. Verify that the firewall deleted the user mapping:
      > show user ip-user-mapping ip <ip-address> 
      No matched record

Related Documentation