Palo Altro EDU-110: User-ID


Describe the four main components of User-ID

Describe the differences between the integrated agent and the Windows-based agent

Define the methods to map IP addresses to users

Configure the PAN-OS integrated agent to ocnnect to monitored servers

Configure the Windows-based agent to probe IP addresses for username information

User-ID’s Purpose

The purpose of User-ID is to identify the user on the network and the IP addresses of the computers the user is logged in too.

User-ID can retrieve information from a connected LDAP directory server.

The goal of User-ID is to give the ability to write policies, display logs, and display reports using usernames rather than just numercial IP addresses and port numbers.

Usernames and group names can be used as matching criteria in Authentication policies, Decryption policies, DoS protection policies, Policy Based Forwarding policies, QoS policies, Security Policies, and Tunnel Inspection Policies.

User-ID Main Functions

Before user and group based policy rules can be created, the firewall requires a list of all users and their group mappings.

The firewall uses group mapping and user mapping to collect the information required.

Group Mapping is learned from group names and member users from a LDAP directory server.

User Mapping includes several different methods to collect IP address-to-username information.

The user mapping can be chosen by the administrator to suit different needs and environments. Different methods can be used at different sites.

User-ID Components

Palo Alto Networks Fireewall

  • Maps IP addresses to usernames
  • Maps usernames to group names

PAN-OS Integrated User-ID Agent

  • Runs on the firewall
  • Collects IP address to username information

Windows-based User-ID Agent

  • Runs on a domain member
  • Collects IP address-to-username information
  • Sends information to the firewall

Palo Alto Networks Terminal Services Agent

  • Runs on Micorsoft and Citrix terminal servers
  • Collects IP and port nubmer to username information
  • Sends information to the firewall

Forms of User-ID Agent

CapabilityPAN-OS Integrated AgentWindows-Based agent
Included with PAN-OS softwareYesNo
Available for download from Palo Alto Networks and can be installed on one or more Windows SystemsNoYes
A firewall can communicate with both agent types at the same timeYesYes
Can monitor up to 100 domain controllers or Exchange serversYesYes
Can monitor users and domain controllers only from a single Active Directory, or AD, domainYesYes
Designed for small and midsize deploymentsYesNo
Can handle larger environments or multiforest domainsNoYes

Integrated Agent verues Windows Based Agent

The Windows based agent and the PAN-OS integrated perform the same basic tasks, but use different underlying communication protocols.

The Windows based agent uses MS-RPC, which requires full Windows Security logs to be sent to the agent, where they are filtererd for relevant User-ID information. This agent is best for reading local logs.

The Pan-OS integrated agent users either the Windows Management Instrumentation (WMI) or the Windows Remote Management Protocol (WinRM), which allows the agent to retrieve only the relevant User-ID information from the security logs. This agent is best for reading remote logs.

In summary, use an integrated agent for remote sites, or install a Windows-based agent at the local site.

User Mapping Methods

User Authentication

  • GlobalProtect – Login Events
  • Captive Portal – Web Forms


  • Aruba/ClearPass
  • User/Group Mapping
  • Devices that can format and send XML over HTTP

Syslog Listening

  • Third Party WLAN controller
  • Third Party Proxy
  • Third Party VPN
  • Network access control systems
  • 802.1x devices

Port Mapping

  • Terminal Services Agent
  • Microsoft Remote Desktop Services
  • Citrix Presentation Server
  • Citrix XenApp

XFF Headers

  • Third Party Proxy

Server Monitoring

  • eDirectory – Login or logout events in authentication logs
  • Microsoft Exchange – Login or logout events in authentication logs
  • Microsoft Active Directory – Login or logout events in authentication logs

Session tables are also read to confirm known IP address to username mappings based on current Windosws file and printer shares

Client Probing

  • Windows Clients

User Mapping Using Global Protect

Every GlobalProtect user is required to enter their login credentials to access to the VPN

GlobalProtect can directly add the username to the firewalls User-ID mapping table

GlobalProtect is listed as the best solution for high security enviroments

User-ID information can be provided by clients that are conneted to an internal network via an internal Global Protect gateway without establishing a VPN tunnel to the firewall.

User-ID Syslog Monitoring

Syslog monitoring may be a good fit where existing network services exist that authenticate users. These services could include 802.1x devices, Wireless controllers, Apple Open Directory serves, proxy servers and other related services.

These services can be configured to send syslog messages that contain information about login and logout events, and configure the User-ID agent to parse those messages.

The integrated and Windows based agents can retrieve these syslog messages. Syslog Parse Profiles are used to parse syslog messages. With environments with different services with varying messages, custom Syslog Parse Profiles can be set up to pick up on login and logout events. If the Pan-OS integrated User-ID agent is used, Palo Alto provide predefined Syslog Parse Profiles through Application content updates.

The User-ID agent can parse for login events to map IP addresses to usernames and parse for logout events so the firewall deletes outdated mappings. Deletion of outdated mappings is useful were IP address assignments are changed often.

User-ID Operation Overview: Domain Controllers

Before User-ID can operate, it must be enabled on the relevant security zone.

If User-ID is enabled, the firewall consults the administrator-defined User-ID configuiration to determine which agents the firewall has available to gather IP address and username information.

Once User-ID has retrived the IP address and username information from an agent, it can use the firewalls LDAP configuration to retrieve user to group mapping information from a LDAP server.

With the information requirements satisified, the security policy can be checked for a match.

In terms of Domain Controllers User-ID, When a user logs into their laptop, which is an Active Directory member, the AD domain controller logs a logon event with the username and IP address of the station.

User-ID Domain Controller Monitoring

Palo Alto recomended passive server monitoring (due to low overheads) allows a User-ID agent to monitor the security logs for user logon or logout events for a Microsoft domain controller.

The AD domain must be configured to log succesful logon events into the security logs.

Users are able to authenticate to any domain controller in a domain, and security logs are not replicated between seperate domain controller servers. Server monitoring needs to be turned on for all controllers to capture all user login events. User-ID agents can monitor multiple domain controllers, but only a single domain.

Step 1 – Parse and record

On startup, the User-ID agent parses the security event logs for user logon events

Step 2 – Check Logs

The User-ID agent checks Security logs on a regular basis for only new logon or logout events

Step 3 – Mappings cached

User mappings are cached for the first time equal to the timeout value set in the User ID agent

User-ID Windows Session Monitoring

Clients thats have a connected shared file/folder or print resource will have their session information stored on a Domain Controller.

This is an additional Windows-based method to resolve IP addresses to users. Consult the shared resource session table recorded on the Domain Controller.

User-ID Mapping Recommendations

UseIf you have…
GlobalProtectGlobalProtect VPN Clients
Captive PortalWeb clients that do not use the domain server
Syslog ListenerNon-windows systems, NAC mechanisms such as wireless controllers, 802.1x devices, or proxy servers
User-ID agent: Session monitoringExchange servers, domain controllers, or eDirectory servers
User-ID agent: Session monitoringWindows file and print shares
Terminal Services agentMulti-user systems such as Microsoft Desktop Services or Citrix Metaframe Presentation Server (XenApp)
User-ID agent: Client probingWindows clients that often change IP addresses
XML APIDevices and applications not integrated with User-ID

Steps for configuring User-ID

  1. Enable User-ID by zone
  2. Configure user mapping methods
  3. Configure group mapping (Optional)
  4. Modify firewall policy rules to use usernames or group names

To enable user-ID by zone, tick the ‘Enable User Identification’ box on the zone settings on the firewall.

By default User-ID tries to map all user from all networks found within a User-ID enabled zone.

The include list can be used to limit the networks that the firewall tries to map IP addresses too.

The exclude list can be used to exclude a subnet of network included in an Include list.

If WMI probing is enabled, by default only private IP address ranges are probed. To probe public addressing ranges, those ranges need to be included in the Include List.

Configuring the PAN-OS Integrated User-ID Agent

  1. On the domain controller, create a service account with the required permissions to run the agent
  2. On the firewall define the address of the servers to be monitored
  3. Add the service account to monitor the servers
  4. Configure session monitoring (optional step)
  5. Configure WMI probing (optional step)
  6. Commit the configuration and verify agent status

Configure the Windows-Based User-ID Agent

  1. On the domain controller, create a service account with the require permissions to run the agent
  2. Select a Windows domain member
  3. Download and install User-ID agent software
  4. Run the User-ID agent installer
  5. Configure the User-ID agent
  6. Configure the firewall to connect to the User-ID agent
  7. Verify connection status

Selecting the Installation Location

The Windows-based agent can be installed on 32 or 64 bit machines running Windows XP SP3 or later

The agent is to be installed on the same network site as the monitored server to optimise bandwidth use

Two agents can be installed on two member servers in case one agent or a single domain controller fails.

The agent can be installed on a domain controller, though this is not recommended best practice.

Selecting Users and Groups for a Security Policy

any – matches any value for user

pre-login – Used with certain GlobalProtect implementations

known-user – Matches any user or group identified by User-ID

unknown – Matches traffic where the user could not be identified by User-ID methods

select – Matches a specific user or group identified by User-ID

For larger enterprise, it is best to set policy rules by groups rather than users.







Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.