Enable Policy for Users with Multiple Accounts
If a user in your organization has multiple responsibilities, that user might have multiple usernames (accounts), each with distinct privileges for accessing a particular set of services, but with all the usernames sharing the same IP address (the client system of the user). However, the User-ID agent can map any one IP address (or IP address and port range for terminal server users) to only one username for enforcing policy, and you can’t predict which username the agent will map. To control access for all the usernames of a user, you must make adjustments to the rules, user groups, and User-ID agent.
For example, say the firewall has a rule that allows username corp_user to access email and a rule that allows username admin_user to access a MySQL server. The user logs in with either username from the same client IP address. If the User-ID agent maps the IP address to corp_user, then whether the user logs in as corp_user or admin_user, the firewall identifies that user as corp_user and allows access to email but not the MySQL server. On the other hand, if the User-ID agent maps the IP address to admin_user, the firewall always identifies the user as admin_user regardless of login and allows access to the MySQL server but not email. The following steps describe how to enforce both rules in this example.
- Configure a user group for each service that requires
distinct access privileges.In this example, each group is for a single service (email or MySQL server). However, it is common to configure each group for a set of services that require the same privileges (for example, one group for all basic user services and one group for all administrative services).If your organization already has user groups that can access the services that the user requires, simply add the username that is used for less restricted services to those groups. In this example, the email server requires less restricted access than the MySQL server, and corp_user is the username for accessing email. Therefore, you add corp_user to a group that can access email (corp_employees) and to a group that can access the MySQL server (network_services).If adding a username to a particular existing group would violate your organizational practices, you can create a custom group based on an LDAP filter. For this example, say network_services is a custom group, which you configure as follows:
- Select DeviceUser IdentificationGroup Mapping Settings and Add a group mapping configuration with a unique Name.
- Select an LDAP Server Profile and ensure the Enabled check box is enabled.
- Select the Custom Group tab and Add a custom group with network_services as a Name.
- Specify an LDAP Filter that matches an LDAP attribute of corp_user and click OK.
- Click OK and Commit.Later, if other users that are in the group for less restricted services are given additional usernames that access more restricted services, you can add those usernames to the group for more restricted services. This scenario is more common than the inverse; a user with access to more restricted services usually already has access to less restricted services.
- Configure the rules that control user access based on
the groups you just configured.For more information, refer to Enable user- and group-based policy enforcement.
- Configure a security rule that allows the corp_employees group to access email.
- Configure a security rule that allows the network_services group to access the MySQL server.
- Configure the ignore list of the User-ID agent.This ensures that the User-ID agent maps the client IP address only to the username that is a member of the groups assigned to the rules you just configured. The ignore list must contain all the usernames of the user that are not members of those groups.In this example, you add admin_user to the ignore list of the Windows-based User-ID agent to ensure that it maps the client IP address to corp_user. This guarantees that, whether the user logs in as corp_user or admin_user, the firewall identifies the user as corp_user and applies both rules that you configured because corp_user is a member of the groups that the rules reference.
- Create an ignore_user_list.txt file.
- Open the file and add admin_user.If you later add more usernames, each must be on a separate line.
- Save the file to the User-ID agent folder on the domain server where the agent is installed.
- Configure endpoint authentication for the restricted
services.This enables the endpoint to verify the credentials of the user and preserves the ability to enable access for users with multiple usernames.In this example, you have configured a firewall rule that allows corp_user, as a member of the network_services group, to send a service request to the MySQL server. You must now configure the MySQL server to respond to any unauthorized username (such as corp_user) by prompting the user to enter the login credentials of an authorized username (admin_user).If the user logs in to the network as admin_user, the user can then access the MySQL server without it prompting for the admin_user credentials again.In this example, both corp_user and admin_user have email accounts, so the email server won’t prompt for additional credentials regardless of which username the user entered when logging in to the network.The firewall is now ready to enforce rules for a user with multiple usernames.
Methods to Check for Corporate Credential Submissions
Methods to Check for Corporate Credential Submissions Before you Set Up Credential Phishing Prevention , decide which method you want the firewall to use to ...
User Credential Detection
User Credential Detection Select Objects Security Profiles URL Filtering User Credential Detection to enable the firewall to detect when users submit corporate credentials. Configure user ...
Set Up Credential Phishing Prevention
Set Up Credential Phishing Prevention After you have decided which of the Methods to Check for Corporate Credential Submissions you want to use, take the ...
User-ID Changes in PAN-OS 8.1
In PAN-OS 8.1, usernames are now displayed in their original UPN format and a Primary Username is required. Some User Mapping and Group Mapping options ...
Support for Multiple Username Formats
Multiple username formats are now supported for User-ID sources when you specify the user attributes for the firewall to collect from an LDAP directory. ...
Ports Used for User-ID
Ports Used for User-ID User-ID is a feature that enables mapping of user IP addresses to usernames and group memberships, enabling user- or group-based policy ...
Ignore User List
Ignore User List Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Ignore User List The ignore user list defines which user accounts ...
Deploy User-ID in a Large-Scale Network
Deploy User-ID in a Large-Scale Network A large-scale network can have hundreds of information sources that firewalls query to map IP addresses to usernames and ...
Map Users to Groups
Map Users to Groups Defining policy rules based on user group membership rather than individual users simplifies administration because you don’t have to update the ...