End-of-Life (EoL)

User-ID Syslog Monitoring Enhancements

The following enhancements improve the accuracy of User-ID mappings and simplify monitoring syslog senders for mapping information:
  • Automatic deletion of user mappings—To improve the accuracy of your user-based policies and reports, you can now use syslog monitoring to detect when users have logged out; the firewall automatically deletes the associated User-ID mappings. Deleting outdated mappings is particularly useful in environments where IP address assignments change often.
  • Multiple syslog formats—In environments where multiple points of authentication send syslog messages in different formats, it is now easier to collect user mappings from the messages because the firewall can ingest multiple syslog formats from the same syslog sender.
  1. Define custom Syslog Parse profiles so that the firewall filters syslog messages for login and logout events.
    Select
    Device
    User Identification
    User Mapping
    , edit the Palo Alto Networks User-ID Agent Setup, select
    Syslog Filters
    , and
    Add
    a Syslog Parse profile.
    Each profile identifies either login events or logout events, but no single profile can identify both:
    • Example of Syslog Parse profile for login events:
    • Example of Syslog Parse profile for logout events:
  2. Define the syslog senders that the firewall will monitor for syslog messages.
    Select
    Device
    User Identification
    User Mapping
    and
    Add
    syslog senders to the Server Monitoring section. For syslog senders that send messages in multiple formats,
    Add
    a Syslog Parse profile for each format. Specify the event type (
    login
    or
    logout
    ) for each profile.
    As a security best practice, select
    SSL
    when using the PAN-OS integrated User-ID agent to collect user mappings.
  3. Enable syslog listener services in the InterfaceManagement profile associated with the firewall interface used for user mapping.
    Select
    User-ID Syslog Listener-SSL
    and/or
    User-ID Syslog Listener-UDP
    based on the connection types you specified for the syslog senders in the previous step.
  4. Commit and verify your changes.
    1. Commit
      your changes.
    2. Log in to a client system for which a monitored syslog sender generates login and logout event messages.
    3. Verify that the firewall mapped the login username to the client IP address:
      >
      show user ip-user-mapping ip
      <ip-address>
      IP address:    192.0.2.1 (vsys1) User:          localdomain\username From:          SYSLOG
    4. Log out of the client system.
    5. Verify that the firewall deleted the user mapping:
      >
      show user ip-user-mapping ip
      <ip-address>
      No matched record

Recommended For You