Configure User-ID for Remote Network Deployments

The process for retrieving User-ID information for Prisma Access is similar to configuring User-ID for on-premise Palo Alto Networks next-generation firewalls. To configure User ID-to-IP address mapping for Prisma Access, use the following workflow.
  1. Map IP addresses to users in Prisma Access.
    • To use a Windows-based User-ID Agent for IP address-to-username mapping, create a dedicated service account for the User-ID agent, then configure user mapping using the Windows User-ID agent.
    • To use the PAN-OS integrated User-ID Agent for IP address-to-username mapping, Create a dedicated service account for the User-ID Agent, then configure User-ID using the PAN-OS integrated User-ID agent.
      If you use either a Windows or PAN-OS User-ID Agent, use the
      User-ID Agent Address
      (
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      ) from Prisma Access in your User-ID agent configuration to configure your on-premise firewalls to retrieve User-ID mappings from the Prisma Access infrastructure. For more information about User-ID redistribution from Prisma Access to an on-premise firewall, see Redistribute User-ID Information From Prisma Access to an On-Premise Firewall.
      user-id-agent-service-connection.png
      By default, the User-ID agent uses port 5007 to listen for User-ID information requests. Make sure that you implement security policies that allow User-ID traffic from this port between Prisma Access and the Active Directory server or User-ID Agent.
      You can also use the
      paloalto-userid-agent
      App ID to retrieve the information from the Windows domain controller; however, if you do this, you must decrypt the SSL traffic for User-ID.
    • To enable IP address-to-username mapping for users with client systems that aren’t logged in to your domain servers—for example, users running Linux clients that don’t log in to the domain—you can Map IP Addresses to Usernames Using Captive Portal.
      To authenticate users using MFA, SAML, or Captive Portal, we recommend mapping a hostname to the
      Captive Portal Redirect IP Address
      in Prisma Access and associating it with your internal DNS servers. If you choose to use Kerberos single sign-on (SSO) with the captive portal, the hostname is required. Alternatively, you can use the
      Captive Portal Redirect IP Address
      by itself to redirect users.
      To find the
      Captive Portal Redirect IP Address
      , select
      Panorama
      Cloud Services
      Status
      Network Details
      Service Infrastructure
      . Prisma Access assigns this IP address from the infrastructure subnet IP address pool.
      user-id-captive-portal-redirect-ip-address.png
    • To enable IP address-to-username mapping using syslog listening, Configure User-ID to Monitor Syslog Senders for User Mapping.
    • To enable IP address-to-username mapping for users on Windows-based terminal servers, Configure User Mapping for Terminal Server Users.
    • To enable IP address-to-username mapping using an XML API, Send User Mappings to User-ID Using the XML API.
    • To enable IP address-to-username mapping without using an agent, Configure User-ID for Prisma Access Using the PAN-OS Integrated User-ID Agent.
  2. Allow Panorama to use group mappings in security policies.

Configure User-ID for Prisma Access Using the PAN-OS Integrated User-ID Agent

The following procedure shows how to configure the PAN-OS integrated User-ID agent on the firewall for IP address-to-username mapping. The integrated User-ID agent performs the same tasks as the Windows-based agent with the exception of NetBIOS client probing. While we support WMI probing, we do not recommend it.
  1. Create the User-ID service account in the Windows Active Directory (AD) server that is being used by the authentication server.
    Be sure that the user you create is part of the following groups:
    • Distributed COM Users
    • Event Log Readers
    • Server Operators
      Server Operator membership is only required if you enable monitoring of user sessions (
      Enable Session
      ) when you configure server monitoring in Panorama in Step 5.b.
    agentless-user-id-userid-user.png
    We recommend only making these group associations. You do not have to configure Domain Admin or Enterprise Admin privileges for the User-ID service account to work correctly. Giving privileges to the account that aren’t required can give your network a larger attack surface.
  2. Configure Windows Management Instrumentation (WMI) on the AD server.
    The device uses WMI Authentication and you must modify the CIMV2 security properties on the AD server that connects to the device.
    1. Open a command prompt window and run the
      wmimgmt.msc
      command.
    2. In the
      WMI Control
      pane, right-click
      WMI Control
      , choose
      Properties
      , and select the
      Security
      tab.
      agentless-user-id-wmi-properties.png
  3. Make the following changes in the
    CIMV2
    folder:
    1. Select the
      CIMV2
      folder.
    2. Click
      Security
      .
    3. Click
      Add
    4. Select the service account you created in Step 1.
      This example uses the
      UserID
      user with the email of
      userid@example.com
      .
    5. Check
      Allow
      for the
      Enable Account
      and
      Remote Enable
      for the account you created.
    6. Click
      Apply
      .
    7. Click
      OK
      .
      agentless-user-id-cimv2-config.png
  4. In Panorama, select
    Device
    User Identification
    User Mapping
    and click the gear icon to edit the settings.
    Be sure that you have selected the
    Remote_Network_Template
    at the top of the page.
    agentless-user-id-user-mapping-edit-settings.png
  5. Make the following changes to the Palo Alto Networks User-ID Agent Setup settings:
    1. Select
      WMI Authentication
      and enter the domain and username (in the format
      domain
      /
      username
      ) for the User-ID service account, along with a valid password.
      agentless-user-id-wmi-authentication.png
    2. (
      Optional
      ) Select
      Server Monitor
      and change the default settings, if required.
      • To disable security log monitoring on Windows servers, deselect
        Enable Security Log
        .
      • To enable monitoring of user sessions on the monitored servers, select
        Enable Session
        .
    3. (
      Optional
      ) Select
      Client Probing
      and select
      Enable Probing
      to enable WMI probing.
    4. Click
      OK
      to exit from the
      Palo Alto Networks User-ID Agent Setup
      .
  6. If you have not done so already, click
    Add
    in the
    Server Monitoring
    area and add a
    Name
    ,
    Description
    ,
    Type
    , and
    Network Address
    for the server you need to monitor.

Recommended For You