Configure User Mapping Using the PAN-OS Integrated User-ID Agent

The following procedure shows how to configure the PAN-OS integrated User-ID agent on the firewall for IP address-to-username mapping. The integrated User-ID agent performs the same tasks as the Windows-based agent with the exception of NetBIOS client probing (WMI probing is supported).
  1. Create an Active Directory service account for the User-ID agent to access the services and hosts it will monitor for collecting user mapping information.
  2. Define the servers that the firewall will monitor to collect user mapping information.
    Within the total maximum of 100 monitored servers per firewall, you can define no more than 50 syslog senders for any single virtual system.
    To collect all the required mappings, the firewall must connect to all servers that your users log in to so it can monitor the Security log files on all servers that contain login events.
    1. Select
      Device
      User Identification
      User Mapping
      .
    2. Click
      Add
      in the Server Monitoring section.
    3. Enter a
      Name
      to identify the server.
    4. Select the
      Type
      of server.
    5. Enter the
      Network Address
      (an FQDN or IP address) of the server.
      To monitor servers, specify an IP address, the service account name (if all server monitoring is in the same domain), or a fully qualified domain name (FQDN). If you specify an FQDN, use the down-level logon name (DLN)\sAMAccountName format instead of the FQDN\sAMAccountName format. For example, use
      example\user.services
      not
      example.com\user.services
      .
    6. Make sure the server profile is
      Enabled
      and click
      OK
      .
    7. (
      Optional
      ) Click
      Discover
      if you want the firewall to automatically discover domain controllers on your network using DNS lookups.
      The auto-discovery feature is for domain controllers only; you must manually add any Exchange servers or eDirectory servers you want to monitor.
    8. (
      Optional
      ) Specify the frequency at which the firewall polls Windows servers for mapping information. This is the interval between the end of the last query and the start of the next query.
      If the query load is high, the observed delay between queries might significantly exceed the specified frequency.
      1. Edit the Palo Alto Networks User ID Agent Setup.
      2. Select the
        Server Monitor
        tab and specify the
        Server Log Monitor Frequency
        in seconds (default is 2, range is 1-3600). Increase the value in this field to 5 seconds in environments with older domain controllers or high-latency links.
        Ensure that the
        Enable Session
        setting is not selected. This setting requires that the User-ID agent have an Active Directory account with Server Operator privileges so that it can read all user sessions. Instead, use a Syslog or XML API integration to monitor sources that capture login and logout events for all device types and operating systems (instead of just Windows), such as wireless controllers and NACs.
      3. Click
        OK
        to save the changes.
  3. Specify the subnetworks the PAN-OS integrated User-ID agent should include in or exclude from user mapping.
    By default, the User-ID maps all users accessing the servers you are monitoring.
    As a best practice, always specify which networks to include and, optionally, to exclude from User-ID to ensure that the agent is only communicating with internal resources and to prevent unauthorized users from being mapped. You should only enable user mapping on the subnetworks where users internal to your organization are logging in.
    1. Select
      Device
      User Identification
      User Mapping
      .
    2. Add
      an entry to the Include/Exclude Networks and enter a
      Name
      for the entry and make sure to keep the
      Enabled
      check box selected.
    3. Enter the
      Network Address
      and then select whether to include or exclude it:
      • Include
        —Select this option if you want to limit user mapping to users logged in to the specified subnetwork only. For example, if you include 10.0.0.0/8, the agent maps the users on that subnetwork and excludes all others. If you want the agent to map users in other subnetworks, you must repeat these steps to add additional networks to the list.
      • Exclude
        —Select this option only if you want the agent to exclude a subset of the subnetworks you added for inclusion. For example, if you include 10.0.0.0/8 and exclude 10.2.50.0/22, the agent will map users on all the subnetworks of 10.0.0.0/8 except 10.2.50.0/22, and will exclude all subnetworks outside of 10.0.0.0/8.
        If you add subnetworks for exclusion without adding any for inclusion, the agent will not perform user mapping in any subnetwork.
    4. Click
      OK
      .
  4. Set the domain credentials for the account the firewall will use to access Windows resources. This is required for monitoring Exchange servers and domain controllers as well as for WMI probing.
    1. Edit the Palo Alto Networks User ID Agent Setup.
    2. Select the
      WMI Authentication
      tab and enter the
      User Name
      and
      Password
      for the account that the User-ID agent will use to probe the clients and monitor servers. Enter the username using the domain\username syntax.
  5. (
    Optional, not recommended
    ) Configure WMI probing (the PAN-OS integrated User-ID agent does not support NetBIOS probing).
    Do not enable WMI probing on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured.
    1. Select the
      Client Probing
      tab and select the
      Enable Probing
      check box.
    2. (
      Optional
      ) Modify the
      Probe Interval
      (in minutes) if necessary to ensure it is long enough for the User-ID agent to probe all the learned IP addresses (default is 20, range is 1-1440). This is the interval between the end of the last probe request and the start of the next request.
      If the request load is high, the observed delay between requests might significantly exceed the specified interval.
    3. Click
      OK
      .
    4. Make sure the Windows firewall will allow client probing by adding a remote administration exception to the Windows firewall for each probed client.
  6. (
    Optional
    ) Define the set of users for which you don’t require IP address-to-username mappings, such as kiosk accounts.
    Define the ignore user list on the firewall that is the User-ID agent, not the client. If you define the ignore user list on the client firewall, the users in the list are still mapped during redistribution.
    Select the
    Ignore User List
    tab and
    Add
    each username to exclude from user mapping. You can also use the ignore user list to identify users whom you want to force to authenticate using Captive Portal. You can use an asterisk as a wildcard character to match multiple usernames, but only as the last character in the entry. For example,
    corpdomain\it-admin*
    would match all administrators in the
    corpdomain
    domain whose usernames start with the string
    it‑admin
    . You can add up to 5,000 entries to exclude from user mapping.
  7. Activate your configuration changes.
    Click
    OK
    and
    Commit
    .
  8. Verify the configuration.
    1. Enter the following operational command:
      >
      show user server-monitor state all
    2. On the
      Device
      User Identification
      User Mapping
      tab in the web interface, verify that the Status of each server you configured for server monitoring is Connected.

Related Documentation