Configure User-ID for Remote Network Deployments
The process for retrieving User-ID information for Prisma Access is similar to configuring User-ID for on-premise Palo Alto Networks next-generation firewalls. To configure User ID-to-IP address mapping for Prisma Access, use the following workflow.
- Map IP addresses to users in Prisma Access.
- If you use either a Windows or PAN-OS User-ID Agent, use theUser-ID Agent Address() from Prisma Access in your User-ID agent configuration to configure your on-premise firewalls to retrieve User-ID mappings from the Prisma Access infrastructure. For more information about User-ID redistribution from Prisma Access to an on-premise firewall, see Redistribute User-ID Information From Prisma Access to an On-Premise Firewall.PanoramaCloud ServicesStatusNetwork DetailsService ConnectionBy default, the User-ID agent uses port 5007 to listen for User-ID information requests. Make sure that you implement security policies that allow User-ID traffic from this port between Prisma Access and the Active Directory server or User-ID Agent.You can also use thepaloalto-userid-agentApp ID to retrieve the information from the Windows domain controller; however, if you do this, you must decrypt the SSL traffic for User-ID.
- To enable IP address-to-username mapping for users with client systems that aren’t logged in to your domain servers—for example, users running Linux clients that don’t log in to the domain—you can Map IP Addresses to Usernames Using Captive Portal.To authenticate users using MFA, SAML, or Captive Portal, we recommend mapping a hostname to theCaptive Portal Redirect IP Addressin Prisma Access and associating it with your internal DNS servers. If you choose to use Kerberos single sign-on (SSO) with the captive portal, the hostname is required. Alternatively, you can use theCaptive Portal Redirect IP Addressby itself to redirect users.To find theCaptive Portal Redirect IP Address, select. Prisma Access assigns this IP address from the infrastructure subnet IP address pool.PanoramaCloud ServicesStatusNetwork DetailsService Infrastructure
- Allow Panorama to use group mappings in security policies.
- To allow Panorama to retrieve group mapping information, add one or more next-generation firewalls to your deployment and then configure the firewall as a Master Device.We recommend using a Master Device in Prisma Access User-ID deployments, because it allows you to select groups from drop-down lists in policies that you create and configure in Panorama, which simplifies group-based policy configuration.
Configure User-ID for Prisma Access Using the PAN-OS Integrated
The following procedure shows how to configure the PAN-OS integrated User-ID agent on the firewall for IP address-to-username mapping. The integrated User-ID agent performs the same tasks as the Windows-based agent with the exception of NetBIOS client probing. While we support WMI probing, we do not recommend it.
- Create the User-ID service account in the Windows Active Directory (AD) server that is being used by the authentication server.Be sure that the user you create is part of the following groups:
We recommend only making these group associations. You do not have to configure Domain Admin or Enterprise Admin privileges for the User-ID service account to work correctly. Giving privileges to the account that aren’t required can give your network a larger attack surface.
- Distributed COM Users
- Event Log Readers
- Server Operators
- Configure Windows Management Instrumentation (WMI) on the AD server.The device uses WMI Authentication and you must modify the CIMV2 security properties on the AD server that connects to the device.
- Open a command prompt window and run thewmimgmt.msccommand.
- In theWMI Controlpane, right-clickWMI Control, chooseProperties, and select theSecuritytab.
- Make the following changes in theCIMV2folder:
- Select theCIMV2folder.
- Select the service account you created in Step 1.This example uses theUserIDuser with the email firstname.lastname@example.org.
- CheckAllowfor theEnable AccountandRemote Enablefor the account you created.
- In Panorama, selectand click the gear icon to edit the settings.DeviceUser IdentificationUser MappingBe sure that you have selected theRemote_Network_Templateat the top of the page.
- Make the following changes to the Palo Alto Networks User-ID Agent Setup settings:
- SelectWMI Authenticationand enter the domain and username (in the formatdomain/username) for the User-ID service account, along with a valid password.
- (Optional) SelectServer Monitorand change the default settings, if required.
- To disable security log monitoring on Windows servers, deselectEnable Security Log.
- To enable monitoring of user sessions on the monitored servers, selectEnable Session.
- (Optional) SelectClient Probingand selectEnable Probingto enable WMI probing.
- ClickOKto exit from thePalo Alto Networks User-ID Agent Setup.
- If you have not done so already, clickAddin theServer Monitoringarea and add aName,Description,Type, andNetwork Addressfor the server you need to monitor.
Recommended For You
Recommended videos not found.