Describe the four main components of User-ID
Describe the differences between the integrated agent and the Windows-based agent
Define the methods to map IP addresses to users
Configure the PAN-OS integrated agent to ocnnect to monitored servers
Configure the Windows-based agent to probe IP addresses for username information
The purpose of User-ID is to identify the user on the network and the IP addresses of the computers the user is logged in too.
User-ID can retrieve information from a connected LDAP directory server.
The goal of User-ID is to give the ability to write policies, display logs, and display reports using usernames rather than just numercial IP addresses and port numbers.
Usernames and group names can be used as matching criteria in Authentication policies, Decryption policies, DoS protection policies, Policy Based Forwarding policies, QoS policies, Security Policies, and Tunnel Inspection Policies.
User-ID Main Functions
Before user and group based policy rules can be created, the firewall requires a list of all users and their group mappings.
The firewall uses group mapping and user mapping to collect the information required.
Group Mapping is learned from group names and member users from a LDAP directory server.
User Mapping includes several different methods to collect IP address-to-username information.
The user mapping can be chosen by the administrator to suit different needs and environments. Different methods can be used at different sites.
Palo Alto Networks Fireewall
- Maps IP addresses to usernames
- Maps usernames to group names
PAN-OS Integrated User-ID Agent
- Runs on the firewall
- Collects IP address to username information
Windows-based User-ID Agent
- Runs on a domain member
- Collects IP address-to-username information
- Sends information to the firewall
Palo Alto Networks Terminal Services Agent
- Runs on Micorsoft and Citrix terminal servers
- Collects IP and port nubmer to username information
- Sends information to the firewall
Forms of User-ID Agent
|PAN-OS Integrated Agent
|Included with PAN-OS software
|Available for download from Palo Alto Networks and can be installed on one or more Windows Systems
|A firewall can communicate with both agent types at the same time
|Can monitor up to 100 domain controllers or Exchange servers
|Can monitor users and domain controllers only from a single Active Directory, or AD, domain
|Designed for small and midsize deployments
|Can handle larger environments or multiforest domains
Integrated Agent verues Windows Based Agent
The Windows based agent and the PAN-OS integrated perform the same basic tasks, but use different underlying communication protocols.
The Windows based agent uses MS-RPC, which requires full Windows Security logs to be sent to the agent, where they are filtererd for relevant User-ID information. This agent is best for reading local logs.
The Pan-OS integrated agent users either the Windows Management Instrumentation (WMI) or the Windows Remote Management Protocol (WinRM), which allows the agent to retrieve only the relevant User-ID information from the security logs. This agent is best for reading remote logs.
In summary, use an integrated agent for remote sites, or install a Windows-based agent at the local site.
User Mapping Methods
- GlobalProtect – Login Events
- Captive Portal – Web Forms
- User/Group Mapping
- Devices that can format and send XML over HTTP
- Third Party WLAN controller
- Third Party Proxy
- Third Party VPN
- Network access control systems
- 802.1x devices
- Terminal Services Agent
- Microsoft Remote Desktop Services
- Citrix Presentation Server
- Citrix XenApp
- Third Party Proxy
- eDirectory – Login or logout events in authentication logs
- Microsoft Exchange – Login or logout events in authentication logs
- Microsoft Active Directory – Login or logout events in authentication logs
Session tables are also read to confirm known IP address to username mappings based on current Windosws file and printer shares
- Windows Clients
User Mapping Using Global Protect
Every GlobalProtect user is required to enter their login credentials to access to the VPN
GlobalProtect can directly add the username to the firewalls User-ID mapping table
GlobalProtect is listed as the best solution for high security enviroments
User-ID information can be provided by clients that are conneted to an internal network via an internal Global Protect gateway without establishing a VPN tunnel to the firewall.
User-ID Syslog Monitoring
Syslog monitoring may be a good fit where existing network services exist that authenticate users. These services could include 802.1x devices, Wireless controllers, Apple Open Directory serves, proxy servers and other related services.
These services can be configured to send syslog messages that contain information about login and logout events, and configure the User-ID agent to parse those messages.
The integrated and Windows based agents can retrieve these syslog messages. Syslog Parse Profiles are used to parse syslog messages. With environments with different services with varying messages, custom Syslog Parse Profiles can be set up to pick up on login and logout events. If the Pan-OS integrated User-ID agent is used, Palo Alto provide predefined Syslog Parse Profiles through Application content updates.
The User-ID agent can parse for login events to map IP addresses to usernames and parse for logout events so the firewall deletes outdated mappings. Deletion of outdated mappings is useful were IP address assignments are changed often.
User-ID Operation Overview: Domain Controllers
Before User-ID can operate, it must be enabled on the relevant security zone.
If User-ID is enabled, the firewall consults the administrator-defined User-ID configuiration to determine which agents the firewall has available to gather IP address and username information.
Once User-ID has retrived the IP address and username information from an agent, it can use the firewalls LDAP configuration to retrieve user to group mapping information from a LDAP server.
With the information requirements satisified, the security policy can be checked for a match.
In terms of Domain Controllers User-ID, When a user logs into their laptop, which is an Active Directory member, the AD domain controller logs a logon event with the username and IP address of the station.
User-ID Domain Controller Monitoring
Palo Alto recomended passive server monitoring (due to low overheads) allows a User-ID agent to monitor the security logs for user logon or logout events for a Microsoft domain controller.
The AD domain must be configured to log succesful logon events into the security logs.
Users are able to authenticate to any domain controller in a domain, and security logs are not replicated between seperate domain controller servers. Server monitoring needs to be turned on for all controllers to capture all user login events. User-ID agents can monitor multiple domain controllers, but only a single domain.
Step 1 – Parse and record
On startup, the User-ID agent parses the security event logs for user logon events
Step 2 – Check Logs
The User-ID agent checks Security logs on a regular basis for only new logon or logout events
Step 3 – Mappings cached
User mappings are cached for the first time equal to the timeout value set in the User ID agent
User-ID Windows Session Monitoring
Clients thats have a connected shared file/folder or print resource will have their session information stored on a Domain Controller.
This is an additional Windows-based method to resolve IP addresses to users. Consult the shared resource session table recorded on the Domain Controller.
User-ID Mapping Recommendations
|If you have…
|GlobalProtect VPN Clients
|Web clients that do not use the domain server
|Non-windows systems, NAC mechanisms such as wireless controllers, 802.1x devices, or proxy servers
|User-ID agent: Session monitoring
|Exchange servers, domain controllers, or eDirectory servers
|User-ID agent: Session monitoring
|Windows file and print shares
|Terminal Services agent
|Multi-user systems such as Microsoft Desktop Services or Citrix Metaframe Presentation Server (XenApp)
|User-ID agent: Client probing
|Windows clients that often change IP addresses
|Devices and applications not integrated with User-ID
Steps for configuring User-ID
- Enable User-ID by zone
- Configure user mapping methods
- Configure group mapping (Optional)
- Modify firewall policy rules to use usernames or group names
To enable user-ID by zone, tick the ‘Enable User Identification’ box on the zone settings on the firewall.
By default User-ID tries to map all user from all networks found within a User-ID enabled zone.
The include list can be used to limit the networks that the firewall tries to map IP addresses too.
The exclude list can be used to exclude a subnet of network included in an Include list.
If WMI probing is enabled, by default only private IP address ranges are probed. To probe public addressing ranges, those ranges need to be included in the Include List.
Configuring the PAN-OS Integrated User-ID Agent
- On the domain controller, create a service account with the required permissions to run the agent
- On the firewall define the address of the servers to be monitored
- Add the service account to monitor the servers
- Configure session monitoring (optional step)
- Configure WMI probing (optional step)
- Commit the configuration and verify agent status
Configure the Windows-Based User-ID Agent
- On the domain controller, create a service account with the require permissions to run the agent
- Select a Windows domain member
- Download and install User-ID agent software
- Run the User-ID agent installer
- Configure the User-ID agent
- Configure the firewall to connect to the User-ID agent
- Verify connection status
Selecting the Installation Location
The Windows-based agent can be installed on 32 or 64 bit machines running Windows XP SP3 or later
The agent is to be installed on the same network site as the monitored server to optimise bandwidth use
Two agents can be installed on two member servers in case one agent or a single domain controller fails.
The agent can be installed on a domain controller, though this is not recommended best practice.
Selecting Users and Groups for a Security Policy
any – matches any value for user
pre-login – Used with certain GlobalProtect implementations
known-user – Matches any user or group identified by User-ID
unknown – Matches traffic where the user could not be identified by User-ID methods
select – Matches a specific user or group identified by User-ID
For larger enterprise, it is best to set policy rules by groups rather than users.