Configure User-ID for Numerous Mapping Information Sources
- Configure Windows Log Forwarding on the member
servers that will collect login events.Configure Windows Log Forwarding. This step requires administrative privileges for configuring group policies on Windows servers.
- Install the Windows-based User-ID agent.Install the Windows-Based User-ID Agent on a Windows server that can access the member servers. Make sure the system that will host the User-ID agent is a member of the same domain as the servers it will monitor.
- Configure the User-ID agent to collect user mapping information
from the member servers.
- Start the Windows-based User-ID agent.
- Select User IdentificationDiscovery and perform the following
steps for each member server that will receive events from domain controllers:
- In the Servers section, click Add and enter a Name to identify the member server.
- In the Server Address field, enter the FQDN or IP address of the member server.
- For the Server Type, select Microsoft Active Directory.
- Click OK to save the server entry.
- Configure the remaining User-ID agent settings: see Configure the Windows-Based User-ID Agent for User Mapping.
- If the User-ID sources provide usernames in multiple
formats, specify the format for the Primary Username when
you Map Users to Groups. The primary username is the username that identifies the user on the firewall and represents the user in reports and logs, regardless of the format that the User-ID source provides.
an LDAP server profile to specify how the firewall connects to the
Global Catalog servers (up to four) for group mapping information.To improve availability, use at least two Global Catalog servers for redundancy.You can collect group mapping information only for universal groups, not local domain groups (subdomains).
- Select DeviceServer ProfilesLDAP, click Add, and enter a Name for the profile.
- In the Servers section, for each Global Catalog, click Add and enter the server Name, IP address (LDAP Server), and Port. For a plaintext or Start Transport Layer Security (Start TLS) connection, use Port 3268. For an LDAP over SSL connection, use Port 3269. If the connection will use Start TLS or LDAP over SSL, select the Require SSL/TLS secured connection check box.
- In the Base DN field, enter the Distinguished Name (DN) of the point in the Global Catalog server where the firewall will start searching for group mapping information (for example, DC=acbdomain,DC=com).
- For the Type, select active-directory.
- Configure the remaining fields as necessary: see Add an LDAP server profile.
- Configure an LDAP server profile to specify how the firewall
connects to the servers (up to four) that contain domain mapping
information.User-ID uses this information to map DNS domain names to NetBIOS domain names. This mapping ensures consistent domain/username references in policy rules.To improve availability, use at least two servers for redundancy.The steps are the same as for the LDAP server profile you created for Global Catalogs in the Step 4, except for the following fields:
- LDAP Server—Enter the IP address of the domain controller that contains the domain mapping information.
- Port—For a plaintext or Start TLS connection, use Port 389. For an LDAP over SSL connection, use Port 636. If the connection will use Start TLS or LDAP over SSL, select the Require SSL/TLS secured connection check box.
- Base DN—Select the DN of the point in the domain controller where the firewall will start searching for domain mapping information. The value must start with the string: cn=partitions,cn=configuration (for example, cn=partitions,cn=configuration,DC=acbdomain,DC=com).
- Create a group mapping configuration for each LDAP server
profile you created.
- Select DeviceUser IdentificationGroup Mapping Settings.
- Click Add and enter a Name to identify the group mapping configuration.
- Select the LDAP Server Profile and ensure the Enabled check box is selected.
- Configure the remaining fields as necessary: see Map
Users to Groups.If the Global Catalog and domain mapping servers reference more groups than your security rules require, configure the Group Include List and/or Custom Group list to limit the groups for which User-ID performs mapping.
- Click OK and Commit.
Windows Log Forwarding and Global Catalog Servers
Windows Log Forwarding and Global Catalog Servers Because each User-ID agent can monitor up to 100 servers, the firewall needs multiple User-ID agents to monitor ...
Ports Used for User-ID
Ports Used for User-ID User-ID is a feature that enables mapping of user IP addresses to usernames and group memberships, enabling user- or group-based policy ...
Deploy User-ID for Numerous Mapping Information Sources
Deploy User-ID for Numerous Mapping Information Sources You can use Windows Log Forwarding and Global Catalog servers to simplify user mapping and group mapping in ...
Map Users to Groups
Map Users to Groups Defining policy rules based on user group membership rather than individual users simplifies administration because you don’t have to update the ...
Enable Group Mapping
Enable Group Mapping Because the agent or app running on your end-user systems requires the user to successfully authenticate before being granted access to GlobalProtect, ...
Configure User Mapping Using the Windows User-ID Agent
Configure User Mapping Using the Windows User-ID Agent In most cases, the majority of your network users will have logins to your monitored domain services. ...
Configure Access to User-ID Agents
Configure Access to User-ID Agents Each firewall and Panorama management server can connect to a maximum of 100 User-ID agents or User-ID redistribution points (or ...
Enable Policy for Users with Multiple Accounts
Enable Policy for Users with Multiple Accounts If a user in your organization has multiple responsibilities, that user might have multiple usernames (accounts), each with ...
Configure the Windows-Based User-ID Agent for User Mapping
Configure the Windows-Based User-ID Agent for User Mapping The Palo Alto Networks User-ID agent is a Windows service that connects to servers on your network—for ...