Configure Access to User-ID Agents

Each firewall and Panorama management server can connect to a maximum of 100 User-ID agents or User-ID redistribution points (or a mixture of both). To add a connection, click Add and complete the following fields.
User-ID Agent Settings
Description
Name
Enter a descriptive name (up to 31 characters) for the User-ID agent or redistribution point. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
For a firewall or virtual system serving as a redistribution point, this field does not have to match the Collector Name field.
Add an Agent Using
(Firewall only)
Select how the firewall identifies the User-ID agent or redistribution point:
  • Serial Number—Select this option for a Panorama management server that redistributes User-ID mappings.
  • Host and Port—Select this option for Windows-based User-ID agents or for firewalls, virtual systems, and Log Collectors that redistribute User-ID mappings.
Serial Number (Firewall only)
Select the Panorama management server that redistributes user mappings to the firewall. For high availability (HA) deployments, you can select the active Panorama (panorama) or the passive Panorama (panorama2).
You do not need to specify the host, port, or other connection information because you defined these during initial configuration of the firewall.
Host
  • Windows-based User-ID agents—Enter the IP address of the Windows host on which the User-ID agent is installed.
  • Firewall (PAN-OS integrated User-ID agent)—Enter the IP address of the MGT interface or service route that the firewall uses to send user mappings. For the MGT interface, you can enter a hostname instead of the IP address.
  • Log Collectors that redistribute user mappings—Enter the hostname or IP address of the interface that the Log Collector uses to send user mappings.
Port
Enter the port number on which the User-ID agent listens for User-ID requests. The default is 5007 but you can specify any available port and different User-ID agents can use different ports.
The default port for some earlier versions of the User-ID agent is 2010.
Collector Name
Enter the Collector Name and Pre-Shared Key that identify the firewall or virtual system as a User-ID agent. Enter the same values as when you configured the firewall or virtual system to redistribute user mappings (see Redistribution).
The collector these fields refer to is the User-ID agent, not a Log Collector, and the fields are configurable only when the agent is a firewall or virtual system.
Collector Pre-shared Key / Confirm Collector Pre-shared key
Use as LDAP Proxy
(Firewall only)
Select this option to use this User-ID agent as a proxy for monitoring the directory server to map usernames to groups. To use this option, you must configure group mapping on the firewall (Device > User Identification > Group Mapping Settings). The firewall pushes that configuration to the User-ID agent to enable it to map usernames to groups.
This option is useful in deployments where the firewall cannot directly access the directory server. It is also useful in deployments that benefit from reducing the number of queries the directory server must process; multiple firewalls can receive the group mapping information from the cache on a single User-ID agent instead of requiring each firewall to query the server directly.
Use for NTLM Authentication
(Firewall only)
Select this option to use this User-ID agent as a proxy for performing NT LAN Manager (NTLM) authentication TechDocs_logo_cropped.png when a client web request matches an Authentication policy rule. The User-ID agent monitors the domain controller for user mapping information and forwards the information to the firewall. To use this option, you must also enable NTLM Authentication on the User-ID agent.
This option is useful in deployments where the firewall cannot directly access the domain controller to perform NTLM authentication. It is also useful in deployments that benefit from reducing the number of authentication requests the domain controller must process; multiple firewalls can receive the user mapping information from the cache on a single User-ID agent instead of requiring each firewall to query the domain controller directly.
Configure Authentication rules to use Kerberos single sign-on TechDocs_logo_cropped.png instead of NTLM authentication. Kerberos is a stronger, more robust authentication method than NTLM and does not require the firewall to have an administrative account to join the domain. For details on configuring the authentication methods for Authentication rules, see Objects > Authentication.
Enabled
Select this option to enable the firewall or Panorama to communicate with the User-ID agent or redistribution point.

Related Documentation