Configure User Mapping Using the PAN-OS Integrated User-ID Agent
The following procedure shows how to configure the PAN-OS integrated User-ID agent on the firewall for IP address-to-username mapping. The integrated User-ID agent performs the same tasks as the Windows-based agent with the exception of NetBIOS client probing (WMI probing is supported).
- Create an Active Directory service account for the User-ID agent to access the services and hosts it will monitor for collecting user mapping information.
- Define the servers that the firewall will monitor to
collect user mapping information.Within the total maximum of 100 monitored servers per firewall, you can define no more than 50 syslog senders for any single virtual system.To collect all the required mappings, the firewall must connect to all servers that your users log in to so it can monitor the Security log files on all servers that contain login events.
- Select DeviceUser IdentificationUser Mapping.
- Click Add in the Server Monitoring section.
- Enter a Name to identify the server.
- Select the Type of server.
- Microsoft Active Directory
- Microsoft Exchange
- Novell eDirectory
- Syslog Sender
- (Microsoft Active Directory or Microsoft Exchange
only) Select the Transport Protocol you
want to use to monitor security logs and session information on
If you select a Windows Remote Management (WinRM) option, you must Configure Server Monitoring Using WinRM.
- WMI—The firewall and the monitored servers use Windows Management Instrumentation (WMI) to communicate.
- WinRM-HTTP—The firewall and the monitored servers use Kerberos for mutual authentication and the monitored server encrypts the communication with the firewall using a negotiated Kerberos session key.
- WinRM-HTTPS—The firewall and the monitored servers use HTTPS to communicate and use basic authentication or Kerberos for mutual authentication.
- (Microsoft Active Directory, Microsoft Exchange, or Novell eDirectory only) Enter the Network Address of the server.
- (Syslog Sender only) If you select Syslog Sender as the server Type, Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener.
- (Novell eDirectory only) Make sure the Server Profile you select is Enabled and click OK.
- (Optional) Click Discover if
you want the firewall to automatically discover domain controllers
on your network using DNS lookups.The auto-discovery feature is for domain controllers only; you must manually add any Exchange servers or eDirectory servers you want to monitor.
- (Optional) Specify the frequency at which the
firewall polls Windows servers for mapping information. This is
the interval between the end of the last query and the start of
the next query.If the domain controller is processing many requests, delays between queries may exceed the specified value.
- Edit the Palo Alto Networks User ID Agent Setup.
- Select the Server Monitor tab
and specify the Server Log Monitor Frequency in
seconds (default is 2, range is 1-3600). Increase the value in this
field to 5 seconds in environments with older domain controllers
or high-latency links.Ensure that the Enable Session setting is not selected. This setting requires that the User-ID agent have an Active Directory account with Server Operator privileges so that it can read all user sessions. Instead, use a Syslog or XML API integration to monitor sources that capture login and logout events for all device types and operating systems (instead of just Windows), such as wireless controllers and NACs.
- Click OK to save the changes.
the subnetworks the PAN-OS integrated User-ID agent should include
in or exclude from user mapping.By default, the User-ID maps all users accessing the servers you are monitoring.As a best practice, always specify which networks to include and, optionally, to exclude from User-ID to ensure that the agent is only communicating with internal resources and to prevent unauthorized users from being mapped. You should only enable user mapping on the subnetworks where users internal to your organization are logging in.
- Select DeviceUser IdentificationUser Mapping.
- Add an entry to the Include/Exclude Networks and enter a Name for the entry and make sure to keep the Enabled check box selected.
- Enter the Network Address and
then select whether to include or exclude it:
- Include—Select this option if you want to limit user mapping to users logged in to the specified subnetwork only. For example, if you include 10.0.0.0/8, the agent maps the users on that subnetwork and excludes all others. If you want the agent to map users in other subnetworks, you must repeat these steps to add additional networks to the list.
- Exclude—Select this option only if you want the agent to exclude a subset of the subnetworks you added for inclusion. For example, if you include 10.0.0.0/8 and exclude 10.2.50.0/22, the agent will map users on all the subnetworks of 10.0.0.0/8 except 10.2.50.0/22, and will exclude all subnetworks outside of 10.0.0.0/8.If you add subnetworks for exclusion without adding any for inclusion, the agent will not perform user mapping in any subnetwork.
- Click OK.
- Set the domain credentials for the account the firewall
will use to access Windows resources. This is required for monitoring
Exchange servers and domain controllers as well as for WMI probing.
- Edit the Palo Alto Networks User-ID Agent Setup.
- Select the Server Monitor Account tab and enter the User Name and Password for the service account that the User-ID agent will use to probe the clients and monitor servers. Enter the username using the domain\username syntax.
- If you are using WinRM to monitor servers, configure
the firewall to authenticate with the server you are monitoring.
- If you want to use WinRM with basic authentication, enable WinRM on the server, configure basic authentication, and specify the service account Domain’s DNS Name.
- If you want to use WinRM with Kerberos, Configure a Kerberos server profile if you have not already done so, then select the Kerberos Server Profile.
- (Optional, not recommended) Configure WMI probing
(the PAN-OS integrated User-ID agent does not support NetBIOS probing).Do not enable WMI probing on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured.
- On the Client Probing tab, Enable Probing.
- (Optional) Specify the Probe Interval to
define the interval (in minutes) between the end of the last probe
request and the start of the next request.If necessary, increase the value to ensure the User-ID agent has sufficient time to probe all the learned IP addresses (default is 20, range is 1-1440).If the request load is high, the observed delay between requests might significantly exceed the specified interval.
- Click OK.
- Make sure the Windows firewall will allow client probing by adding a remote administration exception to the Windows firewall for each probed client.
- (Optional) Define the set of user accounts that
don’t require IP address-to-username mappings, such as kiosk accounts.You can also use the ignore user list to identify users whom you want to force to authenticate using Captive Portal.Select the Ignore User List tab and Add each username to exclude from user mapping. You can use an asterisk as a wildcard character to match multiple usernames, but only as the last character in the entry. For example, corpdomain\it-admin* would match all administrators in the corpdomain domain whose usernames start with the string it‑admin. You can add up to 5,000 entries to exclude from user mapping.
- Activate your configuration changes.Click OK and Commit.
- Verify the configuration.
- Access the firewall CLI.
- Enter the following operational command:
> show user server-monitor state all
- On the DeviceUser IdentificationUser Mapping tab in the web interface, verify that the Status of each server you configured for server monitoring is Connected.
Configure the Windows-Based User-ID Agent for User Mapping
Configure the Windows-Based User-ID Agent for User Mapping The Palo Alto Networks User-ID agent is a Windows service that connects to servers on your network—for ...
Server Monitor Account Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Server Monitor Account To configure the PAN-OS integrated User-ID agent to ...
Client Probing Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Client Probing You can configure the User-ID agent to perform WMI client ...
WinRM Support for Server Monitoring
The PAN-OS integrated User-ID agent can connect to Microsoft Active Directory and Exchange servers using the lightweight Windows Remote Management (WinRM) protocol. ...
Device > User Identification > User Mapping
Device > User Identification > User Mapping Configure the PAN-OS integrated User-ID agent that runs on the firewall to map IP addresses to usernames. What ...
Include or Exclude Subnetworks for User Mapping
Include or Exclude Subnetworks for User Mapping Device > User Identification > User Mapping Use the Include/Exclude Networks list to define the subnetworks that the ...
Configure Server Monitoring Using WinRM
To map users to IP addresses based on login/logout events, you can configure the PAN-OS integrated User-ID agent to monitor servers using WinRM. ...
Ports Used for User-ID
Ports Used for User-ID User-ID is a feature that enables mapping of user IP addresses to usernames and group memberships, enabling user- or group-based policy ...
Create a Dedicated Service Account for the User-ID Agent
Create a Dedicated Service Account for the User-ID Agent To use the Windows-based User-ID agent or the PAN-OS integrated User-ID agent to map users as ...