WinRM Support for Server Monitoring

The PAN-OS integrated User-ID agent can connect to Microsoft Active Directory and Exchange servers using the lightweight Windows Remote Management (WinRM) protocol.
To map usernames from login and logout events to IP addresses, the PAN-OS® integrated User-ID™ agent can now use the lightweight Windows Remote Management (WinRM) protocol to monitor Active Directory Windows Servers 2008 and Microsoft Exchange Servers 2008 and later Windows Server versions.
Using the WinRM protocol significantly improves speed, efficiency, and security when monitoring server events to map usernames to IP addresses.
There are three ways to configure server monitoring using WinRM:
The account you use to configure WinRM on the server you want to monitor must have administrator privileges.
  1. Configure the service account with Remote Management User and CIMV2 privileges.
  2. Enable WinRM on the Windows server.
    WinRM with Kerberos supports the aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 ciphers. If you want to authenticate using Kerberos and the server you want to monitor uses RC4, you must download the Windows update and disable RC4 for Kerberos in the registry settings of the server you want to monitor.
    1. To open the ports on the Windows server for WinRM connections, enter the following command:
      winrm quickconfig
      and then enter
      y
      to confirm the changes. Then confirm that the output displays
      WinRM service started
      .
      If WinRM is enabled, the output displays
      WinRM service is already running on this machine.
      and you will be prompted to confirm any additional required configuration changes.
    2. Verify that WinRM communicates using the correct protocol by entering the following command:
      winrm enumerate winrm/config/listener
      • For HTTP, confirm that the output displays
        Transport = HTTP
        .
      • For HTTPS, confirm that the output displays
        Transport = HTTPS
        .
  3. (
    HTTPS only
    ) Configure the server thumbprint to authenticate the server with the firewall.
    1. Verify the certificate is installed in the Local Computer certificate store (
      Certificates (Local Computer)
      Personal
      Certificates
      ).
    2. Open the certificate and select
      General
      Details
      Show: <All>
      , select the
      Thumbprint
      , and copy it.
    3. From the Windows server command prompt, enter the following command:
      winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”
      <hostname>
      ";CertificateThumbprint=”
      Certificate Thumbprint
      "}
      hostname
      is the monitored server and
      Certificate Thumbprint
      is the value you copied from the certificate.
      Make sure to remove any spaces in the Certificate Thumbprint to ensure that WinRM can validate the certificate.
    4. Specify the authentication type and verify successful authentication between the server and the firewall.
      • For HTTPS with basic authentication, from the Windows server command prompt, enter the following commands:
        c:\> winrm set winrm/config/client/auth ‘@{Basic="true"}’
        winrm get winrm/config/service/Auth
        Confirm that
        Basic = true
        .
      • For HTTPS with Kerberos authentication, from the Windows server command prompt, enter the following command:
        winrm get winrm/config/service/Auth
        Confirm that
        Basic = false
        and
        Kerberos= true
        .
  4. Enable authentication between the PAN-OS integrated User-ID agent and the Windows servers you plan to monitor using WinRM.
    1. From the firewall web interface, select
      Device
      User Identification
      User Mapping
      Palo Alto Networks User-ID Agent Setup
      Server Monitor Account
      .
    2. In
      domain\username
      format, enter the
      User Name
      for the service account that the User-ID agent will use to monitor servers.
    3. Enter the
      Domain’s DNS Name
      of the server monitor account.
      If you are authenticating using Kerberos, Kerberos uses the domain name to locate the service account.
    4. Enter the
      Password
      and
      Confirm Password
      for the service account and then click
      OK
      .
    5. (
      Kerberos only
      ) Configure the firewall to authenticate with the Windows server using Kerberos.
      1. If you did not do so during the initial configuration, make sure you configured date and time (NTP) settings to ensure successful Kerberos negotiation.
      2. Configure a Kerberos server profile on the firewall to authenticate with the server to monitor the security logs and session information.
      3. Select the
        Kerberos Server Profile
        you created in the previous step and click
        OK
        .
  5. Configure the PAN-OS integrated User-ID agent to use a WinRM transport protocol to monitor Windows servers.
    1. Select the Microsoft server
      Type
      (
      Microsoft Active Directory
      or
      Microsoft Exchange
      ).
    2. Select the WinRM
      Transport Protocol
      .
      • WinRM-HTTP
        —Use WinRM over HTTP to monitor the server’s security logs and session information. If you select this option, you must configure authentication using Kerberos.
      • WinRM-HTTPS
        —Use WinRM over HTTPS to monitor the server’s security logs and session information. If you select this option, you must configure either basic authentication or authentication using Kerberos.
    3. Enter the IP address or FQDN
      Network Address
      of the server.
      If you are using Kerberos, the network address must be a fully qualified domain name (FDQN).
  6. (
    HTTPS only
    ) Import the certificate that the server uses for WinRM onto the firewall and associate it with the User-ID Certificate Profile.
    The firewall uses the same certificate to authenticate with all monitored servers.
    1. Select
      Device
      User Identification
      Connection Security
      and click
      Edit
      .
    2. Select the Windows server certificate to use for the
      User-ID Certificate Profile
      and then click
      OK
      .
  7. Commit
    your changes.
  8. To verify the configuration, verify that the status of each server configured for server monitoring is Connected on the
    Device
    User Identification
    User Mapping
    tab in the web interface.

Recommended For You