Configure User-ID for Remote Network Deployments
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
- Activate and Edit a License for SASE 5G Through Common Services
-
- Prisma Access Onboarding Workflow
-
2.2 Preferred
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Prisma Access
- Prisma Access Infrastructure Management
- Releases and Upgrades
- Manage Upgrade Options for the GlobalProtect App
- Notifications and Alerts for Panorama, Cloud Services Plugin, and PAN-OS Dataplane Versions
- Retrieve the IP Addresses for Prisma Access
- Plan for IP Address Changes for Mobile Users, Remote Networks, and Service Connections
- Service IP and Egress IP Address Allocation for Remote Networks
- How to Calculate Remote Network Bandwidth
- Prisma Access APIs
- Use Logging, Routing, and EDL Information to Troubleshoot Your Deployment
-
- Set Up Prisma Access
- Plan the Service Infrastructure and Service Connections
- Configure the Service Infrastructure
- Create a Service Connection to Allow Access to Your Corporate Resources
- Create a Service Connection to Enable Access between Mobile Users and Remote Networks
- Deployment Progress and Status
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections
- Routing Preferences for Service Connection Traffic
- Create a High-Bandwidth Network Using Multiple Service Connections
- List of Prisma Access Locations
-
- Plan To Deploy Prisma Access for Mobile Users
- Secure Mobile Users With GlobalProtect
- Secure Mobile Users with an Explicit Proxy
- Zone Mapping
- Specify IP Address Pools for Mobile Users
- How the GlobalProtect App Selects a Prisma Access Location for Mobile Users
- View Logged In User Information and Log Out Current Users
-
- Use Explicit Proxy to Secure Public Apps and GlobalProtect or a Third-Party VPN to Secure Private Apps
- Prisma Access with On-Premises Gateways
-
- Set Equal Gateway Priorities for On-Premises and Prisma Access Gateways
- Set a Higher Gateway Priority for an On-Premises Gateway
- Set Higher Priorities for Multiple On-Premises Gateways
- Configure Priorities for Prisma Access and On-Premises Gateways
- Allow Mobile Users to Manually Select Specific Prisma Access Gateways
- DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments
- IPv6 Support for Private App Access
- Sinkhole IPv6 Traffic In Mobile Users—GlobalProtect Deployments
- Identification and Quarantine of Compromised Devices With Prisma Access
- Support for Gzip Encoding in Clientless VPN
- Report Website Access Issues
-
- Plan to Deploy Remote Networks
- Onboard and Configure Remote Networks
-
- Remote Network Locations with Overlapping Subnets
- Remote Network Locations with WAN Link
- Use Predefined IPSec Templates to Onboard Service and Remote Network Connections
- Onboard Remote Networks with Configuration Import
- Configure Quality of Service in Prisma Access
- Create a High-Bandwidth Network for a Remote Site
- Provide Secure Inbound Access to Remote Network Locations
-
- Multitenancy Overview
- Multitenancy Configuration Overview
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Control Role-Based Access for Tenant-Level Administrative Users
- Sort Logs by Device Group ID for External Logging
- Visibility and Monitoring Features in the Prisma Access App
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
- Integrate Third-Party NDRs with Prisma Access
- Juniper Mist Integration for SASE Health
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Configure User-ID for Remote Network Deployments
The process for retrieving User-ID information
for Prisma Access is similar to configuring User-ID for on-premise
Palo Alto Networks next-generation firewalls. To configure User
ID-to-IP address mapping for Prisma Access, use the following workflow.
- Map IP addresses to users in Prisma Access.
- To use a Windows-based User-ID Agent for IP address-to-username mapping, create a dedicated service account for the User-ID agent, then configure user mapping using the Windows User-ID agent.
- To use the PAN-OS integrated User-ID Agent for IP address-to-username mapping, Create a dedicated service account for the User-ID Agent, then configure User-ID usingthe PAN-OS integrated User-ID agent.If you use either a Windows or PAN-OS User-ID Agent, use the User-ID Agent Address (PanoramaCloud ServicesStatusNetwork DetailsService Connection) from Prisma Access in your User-ID agent configuration to configure your on-premise firewalls to retrieve User-ID mappings from the Prisma Access infrastructure. For more information about User-ID redistribution from Prisma Access to an on-premises firewall, see Redistribute User-ID Information From Prisma Access to an On-Premise Firewall.By default, the User-ID agent uses port 5007 to listen for User-ID information requests. Make sure that you implement security policies that allow User-ID traffic from this port between Prisma Access and the Active Directory server or User-ID Agent.You can also use the paloalto-userid-agent App ID to retrieve the information from the Windows domain controller; however, if you do this, you must decrypt the SSL traffic for User-ID.
- To enable IP address-to-username mapping for users with client systems that aren’t logged in to your domain servers—for example, users running Linux clients that don’t log in to the domain—you can Map IP Addresses to Usernames Using Authentication Portal (formerly Captive Portal).To authenticate users using MFA, SAML, or Authentication Portal, we recommend mapping a hostname to the Captive Portal Redirect IP Address in Prisma Access and associating it with your internal DNS servers. If you choose to use Kerberos single sign-on (SSO) with the authentication portal, the hostname is required. Alternatively, you can use the Captive Portal Redirect IP Address by itself to redirect users.To find the Captive Portal Redirect IP Address, select PanoramaCloud ServicesStatusNetwork DetailsService Infrastructure. Prisma Access assigns this IP address from the infrastructure subnet IP address pool.
- To enable IP address-to-username mapping using syslog listening, Configure User-ID to Monitor Syslog Senders for User Mapping.
- To enable IP address-to-username mapping for users on Windows-based terminal servers, Configure User Mapping for Terminal Server Users.
- To enable IP address-to-username mapping using an XML API, Send User Mappings to User-ID Using the XML API.
- To enable IP address-to-username mapping without using an agent,Configure User-ID for Prisma Access Using the PAN-OS Integrated User-ID Agent.
- Allow Panorama to use group mappings in security policies.
- To allow Panorama to retrieve group mapping information, add one or more next-generation firewalls to your deployment and then configure the firewall as a Master Device.We recommend using a Master Device in Prisma Access User-ID deployments, because it allows you to select groups from drop-down lists in policies that you create and configure in Panorama, which simplifies group-based policy configuration.
- If you don’t use a master device, you can configure group-based policy by specifying the full distinguished name (DN) of the group.
Configure User-ID for Prisma Access Using the PAN-OS Integrated User-ID Agent
The following procedure shows how to configure
the PAN-OS integrated User-ID agent on the firewall for IP address-to-username mapping.
The integrated User-ID agent performs the same tasks as the Windows-based
agent with the exception of NetBIOS client probing. While we support
WMI probing, we do not recommend it.
- Create the User-ID service account in the Windows Active Directory (AD) server that is being used by the authentication server.Be sure that the user you create is part of the following groups:
- Distributed COM Users
- Event Log Readers
- Server Operators
We recommend only making these group associations. You do not have to configure Domain Admin or Enterprise Admin privileges for the User-ID service account to work correctly. Giving privileges to the account that aren’t required can give your network a larger attack surface. - Configure Windows Management Instrumentation (WMI) on the AD server.The device uses WMI Authentication and you must modify the CIMV2 security properties on the AD server that connects to the device.
- Open a command prompt window and run the wmimgmt.msc command.
- In the WMI Control pane, right-click WMI Control, choose Properties, and select the Security tab.
- Make the following changes in the CIMV2 folder:
- Select the CIMV2 folder.
- Click Security.
- Click Add
- Select the service account you created in Step1.This example uses the UserID user with the email of userid@example.com.
- Check Allow for the Enable Account and Remote Enable for the account you created.
- Click Apply.
- Click OK.
- In Panorama, select DeviceUser IdentificationUser Mapping and click the gear icon to edit the settings.Be sure that you have selected the Remote_Network_Template at the top of the page.
- Configure the Windows Remote Management (WinRM) protocol to monitor your Active Directory server.See the WinRM documentation in the PAN-OS Administrator’s Guide for details.