Configure Server Monitoring Using WinRM

To map users to IP addresses based on login/logout events, you can configure the PAN-OS integrated User-ID agent to monitor servers using WinRM.
You can configure the PAN-OS integrated User-ID agent to monitor servers using Windows Remote Management (WinRM). Using the WinRM protocol greatly improves speed, efficiency, and security when monitoring server events to map user events to IP addresses. The PAN-OS Integrated User-ID agent supports the WinRM protocol on Windows Server 2008 Active Directory or Microsoft Exchange Server 2008 or later.
There are three ways to configure server monitoring using WinRM:

Configure WinRM over HTTPS with Basic Authentication

When you configure WinRM to use HTTPS with basic authentication, the firewall transfers the credentials for the service account in a secure tunnel using SSL.
  1. Configure the service account with Remote Management User and CIMV2 privileges for the server you want to monitor.
  2. On the Windows server you are monitoring, obtain the thumbprint from the certificate for the Windows server to use with WinRM and enable WinRM.
    The account you use to configure WinRM on the server you want to monitor must have administrator privileges.
    1. Verify the certificate is installed in the Local Computer certificate store (
      Certificates (Local Computer)
      Personal
      Certificates
      )
      If you do not see the Local Computer certificate store, launch the Microsoft Management Console (
      Start
      Run
      MMC
      ) and add the Certificates snap-in (
      File
      Add/Remove Snap-in
      Certificates
      Add
      Computer account
      Next
      Finish
      ).
    2. Open the certificate and select
      General
      Details
      Show: <All>
      , select the
      Thumbprint
      and copy it.
    3. To enable the firewall to connect to the Windows server using WinRM, enter the following command:
      winrm quickconfig
      , then enter
      y
      to confirm the changes and confirm the output displays
      WinRM service started
      .
      If WinRM is enabled, the output displays
      WinRM service is already running on this machine.
      You will be prompted to confirm any additional required configuration changes.
    4. To verify that WinRM is communicating using HTTPS, enter the following command:
      winrm enumerate winrm/config/listener
      and confirm that the output displays
      Transport = HTTPS
      .
      By default, WinRM/HTTPS uses port 5986.
    5. From the Windows server command prompt, enter the following command:
      winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”
      <hostname>
      ";CertificateThumbprint=”
      Certificate Thumbprint
      "}
      , where
      hostname
      is the hostname of the Windows server and
      Certificate Thumbprint
      is the value you copied from the certificate.
      Make sure you are using the command prompt and not Powershell and that you remove any spaces in the Certificate Thumbprint to ensure that WinRM will be able to validate the certificate.
    6. From the Windows server command prompt, enter the following command:
      c:\> winrm set winrm/config/client/auth @{Basic="true"}
    7. Enter the following command:
      winrm get winrm/config/service/Auth
      and confirm that
      Basic = true
      .
  3. Enable Basic Authentication between the PAN-OS integrated User-ID agent and the monitored servers.
    1. Select
      Device
      User Identification
      User Mapping
      Palo Alto Networks User-ID Agent Setup
      Server Monitor Account
      .
    2. In
      domain\username
      format, enter the
      User Name
      for the service account that the User-ID agent will use to monitor servers.
    3. Enter the
      Domain’s DNS Name
      of the server monitor account.
    4. Enter the
      Password
      and
      Confirm Password
      for the service account, then click
      OK
      .
      user-id-agent-setup-server-monitor-account-domain-dns-name.png
  4. Configure server monitoring for the PAN-OS integrated User-ID agent.
    1. Select the Microsoft server
      Type
      (
      Microsoft Active Directory
      or
      Microsoft Exchange
      ).
    2. Select
      Win-RM-HTTPS
      as the
      Transport Protocol
      to use Windows Remote Management (WinRM) over HTTPS to monitor the server’s security logs and session information.
    3. Enter the IP address or FQDN
      Network Address
      of the server.
      user-id-monitored-server-add-winrm-https.png
  5. To enable the PAN-OS integrated User-ID agent to communicate with the monitored servers using WinRM-HTTPS, verify that you have imported the root certificate for the service certificates that the Windows server uses for WinRM onto the firewall and associate it with the User-ID Certificate Profile.
    1. Select
      Device
      User Identification
      Connection Security
      and click
      Edit
      .
    2. Select the Windows server certificate to use for the
      User-ID Certificate Profile
      , then click
      OK
      .
      user-id-connection-security.png
  6. Commit
    your changes.
  7. Verify that the status of each monitored server is Connected (
    Device
    User Identification
    User Mapping
    ).

Configure WinRM over HTTP with Kerberos

When you configure WinRM over HTTP with Kerberos, the firewall and the monitored servers use Kerberos for mutual authentication, and the monitored server encrypts the communication with the firewall using a negotiated Kerberos session key.
WinRM with Kerberos supports the aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 ciphers. If the server you want to monitor uses RC4, you must download the Windows update and disable RC4 for Kerberos in the registry settings of the server you want to monitor.
  1. Configure the service account with Remote Management User and CIMV2 privileges for the server you want to monitor.
  2. Confirm that WinRM is enabled on the Windows server you are monitoring.
    The account you use to configure WinRM on the server you want to monitor must have administrator privileges.
    1. To enable the firewall to connect to the Windows server using WinRM, enter the following command:
      winrm quickconfig
      , then enter
      y
      to confirm the changes and confirm the output displays
      WinRM service started
      .
      If WinRM is enabled, the output displays
      WinRM service is already running on this machine.
      You will be prompted to confirm any additional required configuration changes.
    2. To verify that WinRM is communicating using HTTP, enter the following command:
      winrm enumerate winrm/config/listener
      and confirm that the output displays
      Transport = HTTP
      .
      By default, WinRM/HTTP uses port 5985.
    3. Enter the following command:
      winrm get winrm/config/service/Auth
      and confirm that
      Kerberos = true
      .
  3. Enable the PAN-OS integrated User-ID agent and the monitored servers to authenticate using Kerberos.
    1. If you did not do so during the initial configuration, make sure you have configured date and time (NTP) settings to ensure successful Kerberos negotiation.
    2. Configure a Kerberos server profile on the firewall to authenticate with the server to monitor the security logs and session information.
    3. Select
      Device
      User Identification
      User Mapping
      Palo Alto Networks User-ID Agent Setup
      Server Monitor Account
      .
    4. In
      domain\username
      format, enter the
      User Name
      for the service account that the User-ID agent will use to monitor servers.
    5. Enter the
      Domain’s DNS Name
      of the server monitor account.
      Kerberos uses the domain name to locate the service account.
    6. Enter the
      Password
      and
      Confirm Password
      for the service account.
    7. Select the
      Kerberos Server Profile
      you created in Step 3.2 and click
      OK
      .
      user-id-agent-setup-server-monitor-account.png
  4. Configure server monitoring for the PAN-OS integrated User-ID agent.
    1. Configure the Microsoft server type (
      Microsoft Active Directory
      or
      Microsoft Exchange
      ).
    2. Select
      WinRM-HTTP
      as the
      Transport Protocol
      to use Windows Remote Management (WinRM) over HTTP to monitor the server’s security logs and session information.
    3. Enter the FQDN
      Network Address
      of the server.
      If you are using Kerberos, the network address must be a fully qualified domain name (FDQN).
      user-id-monitored-server-add-winrm-http.png
  5. Commit
    your changes.
  6. Verify that the status of each monitored server is Connected (
    Device
    User Identification
    User Mapping
    ).

Configure WinRM over HTTPS with Kerberos

When you configure WinRM over HTTPS with Kerberos, the firewall and the monitored server use HTTPS to communicate and use Kerberos for mutual authentication.
WinRM with Kerberos supports the aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 ciphers. If the server you want to monitor uses RC4, you must download the Windows update and disable RC4 for Kerberos in the registry settings of the server you want to monitor.
  1. Configure the service account with Remote Management User and CIMV2 privileges for the server you want to monitor.
  2. On the Windows server you are monitoring, obtain the thumbprint from the certificate for the Windows server to use with WinRM and enable WinRM.
    The account you use to configure WinRM on the server you want to monitor must have administrator privileges.
    1. Verify the certificate is installed in the Local Computer certificate store (
      Certificates (Local Computer)
      Personal
      Certificates
      ).
      If you do not see the Local Computer certificate store, launch the Microsoft Management Console (
      Start
      Run
      MMC
      ) and add the Certificates snap-in (
      File
      Add/Remove Snap-in
      Certificates
      Add
      Computer account
      Next
      Finish
      ).
    2. Open the certificate and select
      General
      Details
      Show: <All>
      , select the
      Thumbprint
      and copy it.
    3. To enable the firewall to connect to the Windows server using WinRM, enter the following command:
      winrm quickconfig
      , then enter
      y
      to confirm the changes and confirm the output displays
      WinRM service started
      .
      If WinRM is enabled, the output displays
      WinRM service is already running on this machine.
      You will be prompted to confirm any additional required configuration changes.
    4. To verify that WinRM is communicating using HTTPS, enter the following command:
      winrm enumerate winrm/config/listener
      and confirm that the output displays
      Transport = HTTPS
      .
      By default, WinRM/HTTPS uses 5986.
    5. From the Windows server command prompt, enter the following command:
      winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”
      <hostname>
      ";CertificateThumbprint=”
      Certificate Thumbprint
      "}
      ,
      hostname
      is the hostname of the Windows server and
      Certificate Thumbprint
      is the value you copied from the certificate.
      Make sure you are using the command prompt and not Powershell and that you remove any spaces in the Certificate Thumbprint to ensure that WinRM will be able to validate the certificate.
    6. Enter the following command:
      winrm get winrm/config/service/Auth
      and confirm that
      Basic = false
      and
      Kerberos= true
      .
  3. Enable the PAN-OS integrated User-ID agent and the monitored servers to authenticate using Kerberos.
    1. If you did not do so during the initial configuration, make sure you have configured date and time (NTP) settings to ensure successful Kerberos negotiation.
    2. Configure a Kerberos server profile on the firewall to authenticate with the server to monitor the security logs and session information.
    3. Select
      Device
      User Identification
      User Mapping
      Palo Alto Networks User-ID Agent Setup
      Server Monitor Account
      .
    4. In
      domain\username
      format, enter the
      User Name
      for the service account that the User-ID agent will use to monitor servers.
    5. Enter the
      Domain’s DNS Name
      of the server monitor account.
      Kerberos uses the domain name to locate the service account.
    6. Enter the
      Password
      and
      Confirm Password
      for the service account.
    7. Select the
      Kerberos Server Profile
      you created in Step 3.2 and click
      OK
      .
      user-id-agent-setup-server-monitor-account.png
  4. Configure server monitoring for the PAN-OS integrated User-ID agent.
    1. Configure the Microsoft server type (
      Microsoft Active Directory
      or
      Microsoft Exchange
      ).
    2. Select
      Win-RM-HTTPS
      as the
      Transport Protocol
      to use Windows Remote Management (WinRM) over HTTPS to monitor the server’s security logs and session information.
    3. Enter the FQDN
      Network Address
      of the server.
      If you are using Kerberos, the network address must be a fully qualified domain name (FDQN).
      user-id-monitored-server-add-winrm-https.png
  5. To enable the PAN-OS integrated User-ID agent to communicate with the monitored servers using WinRM-HTTPS, verify that you have imported the root certificate for the service certificates that the Windows server uses for WinRM onto the firewall and associate it with the User-ID Certificate Profile.
    The firewall uses the same certificate to authenticate with all monitored servers.
    1. Select
      Device
      User Identification
      Connection Security
      and click
      Edit
      .
    2. Select the Windows server certificate to use for the
      User-ID Certificate Profile
      , click
      OK
      , and
      Commit
      your changes.
      user-id-connection-security.png
  6. Verify that the status of each monitored server is Connected (
    Device
    User Identification
    User Mapping
    ).

Related Documentation