Configure Access to User-ID Agents
Each firewall and Panorama management server can connect to a maximum of 100 User-ID agents or User-ID redistribution points (or a mixture of both). To add a connection, click Add and complete the following fields.
User-ID Agent Settings
Enter a descriptive name (up to 31 characters) for the User-ID agent or redistribution point. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Add an Agent Using
Select how the firewall identifies the User-ID agent or redistribution point:
Serial Number (Firewall only)
Select the Panorama management server that redistributes user mappings to the firewall. For high availability (HA) deployments, you can select the active Panorama (panorama) or the passive Panorama (panorama2).
You do not need to specify the host, port, or other connection information because you defined these during initial configuration of the firewall.
Enter the port number on which the User-ID agent listens for User-ID requests. The default is 5007 but you can specify any available port and different User-ID agents can use different ports.
The default port for some earlier versions of the User-ID agent is 2010.
Enter the Collector Name and Pre-Shared Key that identify the firewall or virtual system as a User-ID agent. Enter the same values as when you configured the firewall or virtual system to redistribute user mappings (see Redistribution).
The collector these fields refer to is the User-ID agent, not a Log Collector, and the fields are configurable only when the agent is a firewall or virtual system.
Collector Pre-shared Key / Confirm Collector Pre-shared key
Use as LDAP Proxy
Select this option to use this User-ID agent as a proxy for monitoring the directory server to map usernames to groups. To use this option, you must configure group mapping on the firewall (Device > User Identification > Group Mapping Settings). The firewall pushes that configuration to the User-ID agent to enable it to map usernames to groups.
This option is useful in deployments where the firewall cannot directly access the directory server. It is also useful in deployments that benefit from reducing the number of queries the directory server must process; multiple firewalls can receive the group mapping information from the cache on a single User-ID agent instead of requiring each firewall to query the server directly.
Use for NTLM Authentication
Select this option to use this User-ID agent as a proxy for performing NT LAN Manager (NTLM) authentication when a client web request matches an Authentication policy rule. The User-ID agent monitors the domain controller for user mapping information and forwards the information to the firewall. To use this option, you must also enable NTLM Authentication on the User-ID agent.
This option is useful in deployments where the firewall cannot directly access the domain controller to perform NTLM authentication. It is also useful in deployments that benefit from reducing the number of authentication requests the domain controller must process; multiple firewalls can receive the user mapping information from the cache on a single User-ID agent instead of requiring each firewall to query the domain controller directly.
Configure Authentication rules to use Kerberos single sign-on instead of NTLM authentication. Kerberos is a stronger, more robust authentication method than NTLM and does not require the firewall to have an administrative account to join the domain. For details on configuring the authentication methods for Authentication rules, see Objects > Authentication.
Select this option to enable the firewall or Panorama to communicate with the User-ID agent or redistribution point.
Select this option to enable this firewall to receive HIP reports from other firewalls that are configured as User-ID agents (including GlobalProtect gateways, Distributed Log Collectors (DLCs), firewalls, and Panorama). The firewall can then use the information in the HIP reports for HIP-based policy enforcement.
User-ID Agent Settings
User-ID Agent Settings Panorama > Managed Collectors > User-ID Agents A Dedicated Log Collector can receive user mappings from up to 100 User-ID agents. The ...
Redistribute User-ID Information to Managed Firewalls
Redistribute User-ID Information to Managed Firewalls To ensure all the firewalls that enforce policies and generate reports have the required IP address-to-username mappings and authentication ...
Redistribution Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Redistribution To enable a firewall or virtual system to serve as a User-ID ...
Configure User-ID Redistribution
Configure User-ID Redistribution Before you configure User-ID redistribution: Plan the redistribution architecture. Some factors to consider are: Which firewalls will enforce policies for all users ...
User-ID Redistribution Using Panorama
User-ID Redistribution Using Panorama One of the key benefits of the Palo Alto Networks firewall is that it can enforce policies and generate reports based ...
Device > User Identification > User-ID Agents
Device > User Identification > User-ID Agents To map usernames to IP addresses, User-ID agents monitor various sources, such as directory servers. The agents send ...
Redistribute HIP Reports
Redistribute HIP Reports To ensure consistent Host Information Profile (HIP) policy enforcement and to simplify policy management, you can distribute HIP reports received from the ...
Firewall Deployment for User-ID Redistribution
Firewall Deployment for User-ID Redistribution To aggregate User-ID information, organize the redistribution sequence in layers, where each layer has one or more firewalls. In the ...
NTLM Authentication Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup NTLM You can use NT LAN Manager (NTLM) to authenticate only Windows ...