Ports Used for User-ID
User-ID is a feature that enables mapping of user IP addresses to usernames and group memberships, enabling user- or group-based policy and visibility into user activity on your network (for example, to be able to quickly track down a user who may be the victim of a threat). To perform this mapping, the firewall, the User-ID agent (either installed on a Windows-based system or the PAN-OS integrated agent running on the firewall), and/or the Terminal Services agent must be able to connect to directory services on your network to perform Group Mapping and User Mapping. Additionally, if the agents are running on systems external to the firewall, they must be able to connect to the firewall to communicate the IP address to username mappings to the firewall. The following table lists the communication requirements for User-ID along with the port numbers required to establish connections.
Port the firewall uses for LDAP over SSL connections with an LDAP server to Map Users to Groups.
Port the firewall uses for LDAP over SSL connections with an Active Directory global catalog server to Map Users to Groups.
Port the User-ID agent listens on for authentication syslog messages if you Configure User-ID to Monitor Syslog Senders for User Mapping. The port depends on the type of agent and protocol:
Port the firewall listens on for user mapping information from the User-ID or Terminal Services agent. The agent sends the IP address and username mapping along with a timestamp whenever it learns of a new or updated mapping. In addition, it connects to the firewall at regular intervals to refresh known mappings.
Port the User-ID agent listens on for XML API requests. The source for this communication is typically the system running a script that invokes the API.
Port the User-ID agent uses to authenticate to a Kerberos server. The firewall tries UDP first and falls back to TCP.
Port the User-ID agent uses to authenticate to a RADIUS server.
Port the User-ID agent uses to authenticate to a TACACS+ server.
Port the User-ID agent uses to establish TCP-based WMI connections with the Microsoft Remote Procedure Call (RPC) Endpoint Mapper. The Endpoint Mapper then assigns the agent a randomly assigned port in the 49152-65535 port range. The agent uses this connection to make RPC queries for Exchange Server or AD server security logs, session tables. This is also the port used to access Terminal Services.
The User-ID agent also uses this port to connect to client systems to perform Windows Management Instrumentation (WMI) probing.
Port the User-ID agent uses to establish TCP-based NetBIOS connections to the AD server so that it can send RPC queries for security logs and session information.
The User-ID agent also uses this port to connect to client systems for NetBIOS probing (supported on the Windows-based User-ID agent only).
Port the User-ID agent uses to connect to the Active Directory (AD) using TCP-based SMB connections to the AD server for access to user logon information (print spooler and Net Logon).
Port the User-ID agent uses to monitor security logs and session information with the WinRM protocol over HTTP.
Port the User-ID agent uses to monitor security logs and session information with the WinRM protocol over HTTPS.
Configure Access to User-ID Agents
Configure Access to User-ID Agents Each firewall and Panorama management server can connect to a maximum of 100 User-ID agents or User-ID redistribution points (or ...
Ports Used for Management Functions
Ports Used for Management Functions The firewall and Panorama use the following ports for management functions. Destination Port Protocol Description 22 TCP Used for communication ...
Configure User-ID for Numerous Mapping Information Sources
Configure User-ID for Numerous Mapping Information Sources Configure Windows Log Forwarding on the member servers that will collect login events. Configure Windows Log Forwarding . ...
Configure the Windows-Based User-ID Agent for User Mapping
Configure the Windows-Based User-ID Agent for User Mapping The Palo Alto Networks User-ID agent is a Windows service that connects to servers on your network—for ...
User-ID Agent Settings
User-ID Agent Settings Panorama > Managed Collectors > User-ID Agents A Dedicated Log Collector can receive user mappings from up to 100 User-ID agents. The ...
Device > User Identification > User-ID Agents
Device > User Identification > User-ID Agents To map usernames to IP addresses, User-ID agents monitor various sources, such as directory servers. The agents send ...
Configure GlobalProtect to Retrieve Host Information
Configure GlobalProtect to Retrieve Host Information Use the following instructions to configure GlobalProtect to retrieve host information from devices managed by AirWatch. Install the User-ID ...
Configure Credential Detection with the Windows-based User-...
Configure Credential Detection with the Windows-based User-ID Agent Domain Credential Filter detection enables the firewall to detect passwords submitted to web pages. This credential detection ...
WinRM Support for Server Monitoring
The PAN-OS integrated User-ID agent can connect to Microsoft Active Directory and Exchange servers using the lightweight Windows Remote Management (WinRM) protocol. ...