WinRM Support for Server Monitoring
The PAN-OS integrated User-ID agent can connect to Microsoft
Active Directory and Exchange servers using the lightweight Windows
Remote Management (WinRM) protocol.
To map usernames from login and logout events
to IP addresses, the PAN-OS® integrated User-ID™ agent can now use
the lightweight Windows Remote Management (WinRM) protocol to monitor
Active Directory Windows Servers 2008 and Microsoft Exchange Servers
2008 and later Windows Server versions.
Using the WinRM protocol
significantly improves speed, efficiency, and security when monitoring
server events to map usernames to IP addresses.
There are
three ways to configure server monitoring using WinRM:
- Configure WinRM over HTTPS with Basic Authentication—The firewall authenticates to the monitored server using the username and password of the service account for the User-ID agent and the firewall authenticates the monitored server using the User-ID certificate profile.
- Configure WinRM over HTTP with Kerberos—The firewall and the monitored servers use Kerberos for mutual authentication and the monitored server encrypts the communication with the firewall using a negotiated Kerberos session key.
- Configure WinRM over HTTPS with Kerberos—The firewall and the monitored server use HTTPS to communicate and use Kerberos for mutual authentication.
The
account you use to configure WinRM on the server you want to monitor
must have administrator privileges.
- Configure the service account with Remote Management User and CIMV2 privileges.
- Enable WinRM on the Windows server.WinRM with Kerberos supports the aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 ciphers. If you want to authenticate using Kerberos and the server you want to monitor uses RC4, you must download the Windows update and disable RC4 for Kerberos in the registry settings of the server you want to monitor.
- To open the ports on the Windows server for WinRM connections, enter the following command:winrm quickconfigand then enteryto confirm the changes. Then confirm that the output displaysWinRM service started.If WinRM is enabled, the output displaysWinRM service is already running on this machine.and you will be prompted to confirm any additional required configuration changes.
- Verify that WinRM communicates using the correct protocol by entering the following command:winrm enumerate winrm/config/listener
- For HTTP, confirm that the output displaysTransport = HTTP.
- For HTTPS, confirm that the output displaysTransport = HTTPS.
- (HTTPS only) Configure the server thumbprint to authenticate the server with the firewall.
- Verify the certificate is installed in the Local Computer certificate store ().
- Open the certificate and select , select theThumbprint, and copy it.
- From the Windows server command prompt, enter the following command:winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”<hostname>";CertificateThumbprint=”Certificate Thumbprint"}hostnameis the monitored server andCertificate Thumbprintis the value you copied from the certificate.Make sure to remove any spaces in the Certificate Thumbprint to ensure that WinRM can validate the certificate.
- Specify the authentication type and verify successful authentication between the server and the firewall.
- For HTTPS with basic authentication, from the Windows server command prompt, enter the following commands:c:\> winrm set winrm/config/client/auth ‘@{Basic="true"}’winrm get winrm/config/service/AuthConfirm thatBasic = true.
- For HTTPS with Kerberos authentication, from the Windows server command prompt, enter the following command:winrm get winrm/config/service/AuthConfirm thatBasic = falseandKerberos= true.
- Enable authentication between the PAN-OS integrated User-ID agent and the Windows servers you plan to monitor using WinRM.
- From the firewall web interface, select .
- Indomain\usernameformat, enter theUser Namefor the service account that the User-ID agent will use to monitor servers.
- Enter theDomain’s DNS Nameof the server monitor account.If you are authenticating using Kerberos, Kerberos uses the domain name to locate the service account.
- Enter thePasswordandConfirm Passwordfor the service account and then clickOK.
- (Kerberos only) Configure the firewall to authenticate with the Windows server using Kerberos.
- If you did not do so during the initial configuration, make sure you configured date and time (NTP) settings to ensure successful Kerberos negotiation.
- Configure a Kerberos server profile on the firewall to authenticate with the server to monitor the security logs and session information.
- Select theKerberos Server Profileyou created in the previous step and clickOK.
- Configure the PAN-OS integrated User-ID agent to use a WinRM transport protocol to monitor Windows servers.
- Select the Microsoft serverType(Microsoft Active DirectoryorMicrosoft Exchange).
- Select the WinRMTransport Protocol.
- WinRM-HTTP—Use WinRM over HTTP to monitor the server’s security logs and session information. If you select this option, you must configure authentication using Kerberos.
- WinRM-HTTPS—Use WinRM over HTTPS to monitor the server’s security logs and session information. If you select this option, you must configure either basic authentication or authentication using Kerberos.
- Enter the IP address or FQDNNetwork Addressof the server.If you are using Kerberos, the network address must be a fully qualified domain name (FDQN).
- (HTTPS only) Import the certificate that the server uses for WinRM onto the firewall and associate it with the User-ID Certificate Profile.The firewall uses the same certificate to authenticate with all monitored servers.
- Select and clickEdit.
- Select the Windows server certificate to use for theUser-ID Certificate Profileand then clickOK.
- Commityour changes.
- To verify the configuration, verify that the status of each server configured for server monitoring is Connected on the tab in the web interface.
