- DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupServer Monitor
To enable the User-ID agent to map IP addresses to usernames by searching for logon events in the security event logs of servers, configure the settings described in the following table.
If the query load is high for Windows server logs, Windows server sessions, or eDirectory servers, the observed delay between queries might significantly exceed the specified frequency or interval.
The complete procedure to configure the PAN-OS integrated User-ID agent to monitor servers requires additional tasks besides configuring the server monitoring settings.
Server Monitoring Settings
Enable Security Log
Select this option to enable security log monitoring on Windows servers.
Server Log Monitor Frequency (sec)
Specify the frequency in seconds at which the firewall will query Windows server security logs for user mapping information (range is 1-3600; default is 2). This is the interval between when the firewall finishes processing the last query and when the firewall sends the next query.
If the log monitoring doesn’t happen often enough, the latest IP-address-to-user mapping may not be available. If the firewall monitors logs too frequently, that may impact the domain controller, memory, CPU, and User-ID policy enforcement. Start with a value in a range of 2-30 seconds, then revise the value based on performance impact or how often user mappings are updated.
Select this option to enable monitoring of user sessions on the monitored servers. Each time a user connects to a server, a session is created; the firewall can use this information to identify the user IP address.
Enable Session. This setting requires that the User-ID agent have an Active Directory account with Server Operator privileges so that it can read all user sessions. Instead, you should use a Syslog or XML API integration to monitor sources that capture login and logout events for all device types and operating systems (instead of only Windows operating systems), such as wireless controllers and NACs.
Server Session Read Frequency (sec)
Specify the frequency in seconds at which the firewall will query Windows server user sessions for user mapping information (range is 1-3600; default is 10). This is the interval between when the firewall finishes processing the last query and when it starts the next query.
Novell eDirectory Query Interval (sec)
Specify the frequency in seconds at which the firewall will query Novell eDirectory servers for user mapping information (range is 1-3600; default is 30). This is the interval between when the firewall finishes processing the last query and when it starts the next query.
Syslog Service Profile
Select an SSL/TLS service profile that specifies the certificate and allowed SSL/TLS versions for communications between the firewall and any syslog senders that the User-ID agent monitors. For details, see Device > Certificate Management > SSL/TLS Service Profile and Syslog Filters. If you select
none, the firewall uses its predefined, self-signed certificate.
Configure User Mapping Using the PAN-OS Integrated User-ID ...
Configure User Mapping Using the PAN-OS Integrated User-ID Agent The following procedure shows how to configure the PAN-OS integrated User-ID agent on the firewall for ...
Configure the Windows-Based User-ID Agent for User Mapping
Configure the Windows-Based User-ID Agent for User Mapping The Palo Alto Networks User-ID agent is a Windows service that connects to servers on your network—for ...
Map IP Addresses to Users
Map IP Addresses to Users User-ID provides many different methods for mapping IP addresses to usernames. Before you begin configuring user mapping, consider where your ...
Server Monitoring With server monitoring a User-ID agent—either a Windows-based agent running on a domain server in your network, or the integrated PAN-OS User-ID agent ...
Monitor Servers Device > User Identification > User Mapping Use the Server Monitoring section to define the Microsoft Exchange Servers, Active Directory (AD) domain controllers, ...
Windows Log Forwarding and Global Catalog Servers
Windows Log Forwarding and Global Catalog Servers Because each User-ID agent can monitor up to 100 servers, the firewall needs multiple User-ID agents to monitor ...
Create a Dedicated Service Account for the User-ID Agent
Create a Dedicated Service Account for the User-ID Agent To use the Windows-based User-ID agent or the PAN-OS integrated User-ID agent to map users as ...
Palo Alto Networks User-ID Agent Setup
These settings define the methods that the User-ID agent uses to perform user mapping. ...
Client Probing Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Client Probing You can configure the User-ID agent to perform WMI client ...