Configure Access to Monitored Servers
Use the Server Monitoring section to Add server profiles that specify the servers (up to 100) the firewall will monitor.
Configure at least two User-ID monitored servers so if a server goes down, the firewall can still learn user-to-IP-address mappings.
The complete procedure to configure the PAN-OS integrated User-ID agent to monitor servers requires additional tasks besides creating server profiles.
Server Monitoring Settings
Enter a name for the server.
Enter a description of the server.
Select this option to enable log monitoring for this server.
Select the server type. Your selection determines which other fields this dialog displays.
Enter the server IP address or FQDN. This option doesn’t apply if the Type is Novell eDirectory.
(Novell eDirectory only)
Select an LDAP server profile for connecting to the Novell eDirectory server (Device > Server Profiles > LDAP).
(Syslog Sender only)
Select whether the User-ID agent listens for syslog messages on the UDP port (514) or the SSL port (6514). If you select SSL, the Syslog Service Profile you select when you enable Server Monitoring determines which SSL/TLS versions are allowed and the certificate that the firewall uses to secure a connection to the syslog sender.
As a security best practice, select SSL when using the PAN-OS integrated User-ID agent to map IP addresses to usernames. If you select UDP, ensure that the syslog sender and client are both on a dedicated, secure network to prevent untrusted hosts from sending UDP traffic to the firewall.
(Syslog Sender only)
If the server Type is Syslog Sender, then Add one or more Syslog Parse profiles to use for extracting usernames and IP addresses from the syslog messages received from this server. You can add a custom profile (see Syslog Filters) or a predefined profile. For each profile, set the Event Type:
If you add a predefined Syslog Parse profile, check its name to determine whether it is intended to match login or logout events.
Default Domain Name
(Optional) If the server Type is Syslog Sender, enter a domain name to override the current domain name in the username of your syslog message or prepend the domain to the username if your syslog message doesn’t contain a domain.
Configure the PAN-OS Integrated User-ID Agent as a Syslog L...
Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener To configure the PAN-OS Integrated User-ID agent to create new user mappings and remove outdated ...
Configure the Windows User-ID Agent as a Syslog Listener
Configure the Windows User-ID Agent as a Syslog Listener To configure the Windows-based User-ID agent to create new user mappings and remove outdated mappings through ...
Monitor Servers Device > User Identification > User Mapping Use the Server Monitoring section to define the Microsoft Exchange Servers, Active Directory (AD) domain controllers, ...
Server Monitoring Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Server Monitor To enable the User-ID agent to map IP addresses to ...
Syslog Filters Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Syslog Filters The User-ID agent uses Syslog Parse profiles to filter syslog ...
Configure the Windows-Based User-ID Agent for User Mapping
Configure the Windows-Based User-ID Agent for User Mapping The Palo Alto Networks User-ID agent is a Windows service that connects to servers on your network—for ...
Syslog Your environment might have existing network services that authenticate users. These services include wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, and ...
Configure User-ID to Monitor Syslog Senders for User Mappin...
Configure User-ID to Monitor Syslog Senders for User Mapping To obtain IP address-to-username mappings from existing network services that authenticate users, you can configure the ...
Server Monitoring With server monitoring a User-ID agent—either a Windows-based agent running on a domain server in your network, or the integrated PAN-OS User-ID agent ...