Documentos de Académico
Documentos de Profesional
Documentos de Cultura
PANOS
Administrators
Guide
Version8.0
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidetakesyouthroughtheconfigurationandmaintenanceofyourPaloAltoNetworksnextgeneration
firewall.Foradditionalinformation,refertothefollowingresources:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama8.0releasenotes,goto
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:July11,2017
2 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
UserID
Theuseridentity,asopposedtoanIPaddress,isanintegralcomponentofaneffectivesecurity
infrastructure.Knowingwhoisusingeachoftheapplicationsonyournetwork,andwhomayhave
transmittedathreatoristransferringfiles,canstrengthensecuritypoliciesandreduceincidentresponse
times.UserID,astandardfeatureonthePaloAltoNetworksfirewall,enablesyoutoleverageuser
informationstoredinawiderangeofrepositories.ThefollowingtopicsprovidemoredetailsaboutUserID
andhowtoconfigureit:
UserIDOverview
UserIDConcepts
EnableUserID
MapUserstoGroups
MapIPAddressestoUsers
EnableUserandGroupBasedPolicy
EnablePolicyforUserswithMultipleAccounts
VerifytheUserIDConfiguration
DeployUserIDinaLargeScaleNetwork
UserIDOverview
UserIDenablesyoutoidentifyallusersonyournetworkusingavarietyoftechniquestoensurethatyou
canidentifyusersinalllocationsusingavarietyofaccessmethodsandoperatingsystems,including
MicrosoftWindows,AppleiOS,MacOS,Android,andLinux/UNIX.Knowingwhoyourusersareinstead
ofjusttheirIPaddressesenables:
VisibilityImprovedvisibilityintoapplicationusagebasedonusersgivesyouamorerelevantpictureof
networkactivity.ThepowerofUserIDbecomesevidentwhenyounoticeastrangeorunfamiliar
applicationonyournetwork.UsingeitherACCorthelogviewer,yoursecurityteamcandiscernwhatthe
applicationis,whotheuseris,thebandwidthandsessionconsumption,alongwiththesourceand
destinationoftheapplicationtraffic,aswellasanyassociatedthreats.
PolicycontrolTyinguserinformationtoSecuritypolicyrulesimprovessafeenablementofapplications
traversingthenetworkandensuresthatonlythoseuserswhohaveabusinessneedforanapplication
haveaccess.Forexample,someapplications,suchasSaaSapplicationsthatenableaccesstoHuman
Resourcesservices(suchasWorkdayorServiceNow)mustbeavailabletoanyknownuseronyour
network.However,formoresensitiveapplicationsyoucanreduceyourattacksurfacebyensuringthat
onlyuserswhoneedtheseapplicationscanaccessthem.Forexample,whileITsupportpersonnelmay
legitimatelyneedaccesstoremotedesktopapplications,themajorityofyourusersdonot.
Logging,reporting,forensicsIfasecurityincidentoccurs,forensicsanalysisandreportingbasedonuser
informationratherthanjustIPaddressesprovidesamorecompletepictureoftheincident.Forexample,
youcanusethepredefinedUser/GroupActivitytoseeasummaryofthewebactivityofindividualusers
orusergroups,ortheSaaSApplicationUsagereporttoseewhichusersaretransferringthemostdata
overunsanctionedSaaSapplications.
Toenforceuserandgroupbasedpolicies,thefirewallmustbeabletomaptheIPaddressesinthepackets
itreceivestousernames.UserIDprovidesmanymechanismstocollectthisUserMappinginformation.For
example,theUserIDagentmonitorsserverlogsforlogineventsandlistensforsyslogmessagesfrom
authenticatingservices.ToidentifymappingsforIPaddressesthattheagentdidntmap,youcanconfigure
AuthenticationPolicytoredirectHTTPrequeststoaCaptivePortallogin.Youcantailortheusermapping
mechanismstosuityourenvironment,andevenusedifferentmechanismsatdifferentsitestoensurethat
youaresafelyenablingaccesstoapplicationsforallusers,inalllocations,allthetime.
Figure:UserID
Toenableuserandgroupbasedpolicyenforcement,thefirewallrequiresalistofallavailableusersand
theircorrespondinggroupmembershipssothatyoucanselectgroupswhendefiningyourpolicyrules.The
firewallcollectsGroupMappinginformationbyconnectingdirectlytoyourLDAPdirectoryserver,orusing
XMLAPIintegrationwithyourdirectoryserver.
SeeUserIDConceptsforinformationonhowUserIDworksandEnableUserIDforinstructionsonsetting
upUserID.
UserIDdoesnotworkinenvironmentswherethesourceIPaddressesofusersaresubjectto
NATtranslationbeforethefirewallmapstheIPaddressestousernames.
UserIDConcepts
GroupMapping
UserMapping
GroupMapping
Todefinepolicyrulesbasedonuserorgroup,firstyoucreateanLDAPserverprofilethatdefineshowthe
firewallconnectsandauthenticatestoyourdirectoryserver.Thefirewallsupportsavarietyofdirectory
servers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONEDirectoryServer.The
serverprofilealsodefineshowthefirewallsearchesthedirectorytoretrievethelistofgroupsandthe
correspondinglistofmembers.Ifyouareusingadirectoryserverthatisnotnativelysupportedbythe
firewall,youcanintegratethegroupmappingfunctionusingtheXMLAPI.Youcanthencreateagroup
mappingconfigurationtoMapUserstoGroupsandEnableUserandGroupBasedPolicy.
Definingpolicyrulesbasedongroupmembershipratherthanonindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevernewusersareaddedtoagroup.Whenconfiguring
groupmapping,youcanlimitwhichgroupswillbeavailableinpolicyrules.Youcanspecifygroupsthat
alreadyexistinyourdirectoryserviceordefinecustomgroupsbasedonLDAPfilters.Definingcustom
groupscanbequickerthancreatingnewgroupsorchangingexistingonesonanLDAPserver,anddoesnt
requireanLDAPadministratortointervene.UserIDmapsalltheLDAPdirectoryuserswhomatchthefilter
tothecustomgroup.Forexample,youmightwantasecuritypolicythatallowscontractorsintheMarketing
Departmenttoaccesssocialnetworkingsites.IfnoActiveDirectorygroupexistsforthatdepartment,you
canconfigureanLDAPfilterthatmatchesusersforwhomtheLDAPattributeDepartmentissetto
Marketing.Logqueriesandreportsthatarebasedonusergroupswillincludecustomgroups.
UserMapping
Knowinguserandgroupsnamesisonlyonepieceofthepuzzle.ThefirewallalsoneedstoknowwhichIP
addressesmaptowhichuserssothatsecurityrulescanbeenforcedappropriately.Figure:UserIDillustrates
thedifferentmethodsthatareusedtoidentifyusersandgroupsonyournetworkandshowshowuser
mappingandgroupmappingworktogethertoenableuserandgroupbasedsecurityenforcementand
visibility.Thefollowingtopicsdescribethedifferentmethodsofusermapping:
ServerMonitoring
PortMapping
Syslog
XFFHeaders
AuthenticationPolicyandCaptivePortal
GlobalProtect
XMLAPI
ClientProbing
ServerMonitoring
WithservermonitoringaUserIDagenteitheraWindowsbasedagentrunningonadomainserverinyour
network,ortheintegratedPANOSUserIDagentrunningonthefirewallmonitorsthesecurityeventlogs
forspecifiedMicrosoftExchangeServers,DomainControllers,orNovelleDirectoryserversforloginevents.
Forexample,inanADenvironment,youcanconfiguretheUserIDagenttomonitorthesecuritylogsfor
Kerberosticketgrantsorrenewals,Exchangeserveraccess(ifconfigured),andfileandprintservice
connections.Notethatfortheseeventstoberecordedinthesecuritylog,theADdomainmustbe
configuredtologsuccessfulaccountloginevents.Inaddition,becauseuserscanlogintoanyoftheservers
inthedomain,youmustsetupservermonitoringforallserverstocapturealluserloginevents.See
ConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthePANOS
IntegratedUserIDAgentfordetails.
PortMapping
InenvironmentswithmultiusersystemssuchasMicrosoftTerminalServerorCitrixenvironmentsmany
userssharethesameIPaddress.Inthiscase,theusertoIPaddressmappingprocessrequiresknowledgeof
thesourceportofeachclient.Toperformthistypeofmapping,youmustinstallthePaloAltoNetworks
TerminalServicesAgentontheWindows/Citrixterminalserveritselftointermediatetheassignmentof
sourceportstothevarioususerprocesses.ForterminalserversthatdonotsupporttheTerminalServices
agent,suchasLinuxterminalservers,youcanusetheXMLAPItosendusermappinginformationfromlogin
andlogouteventstoUserID.SeeConfigureUserMappingforTerminalServerUsersforconfiguration
details.
XFFHeaders
UserIDcanreadtheIPv4orIPv6addressesofusersfromtheXForwardedFor(XFF)headerinHTTPclient
requestswhenthefirewallisdeployedbetweentheInternetandaproxyserverthatwouldotherwisehide
theuserIPaddresses.UserIDmatchesthetrueuserIPaddresseswithusernames.SeeConfigurethe
firewalltoobtainuserIPaddressesfromXForwardedFor(XFF)headers.
AuthenticationPolicyandCaptivePortal
Insomecases,theUserIDagentcantmapanIPaddresstoausernameusingservermonitoringorother
methodsforexample,iftheuserisntloggedinorusesanoperatingsystemsuchasLinuxthatyourdomain
serversdontsupport.Inothercases,youmightwantuserstoauthenticatewhenaccessingsensitive
applicationsregardlessofwhichmethodstheUserIDagentusestoperformusermapping.Forallthese
cases,youcanconfigureConfigureAuthenticationPolicyandMapIPAddressestoUsernamesUsing
CaptivePortal.Anywebtraffic(HTTPorHTTPS)thatmatchesanAuthenticationpolicyrulepromptsthe
usertoauthenticatethroughCaptivePortal.YoucanusethefollowingCaptivePortalAuthentication
Methods:
BrowserchallengeUseKerberossinglesignon(recommended)orNTLANManager(NTLM)
authenticationifyouwanttoreducethenumberofloginpromptsthatusersmustrespondto.
WebformUseMultiFactorAuthentication,SAMLsinglesignon,Kerberos,TACACS+,RADIUS,LDAP,
orLocalAuthentication.
ClientCertificateAuthentication.
Syslog
Yourenvironmentmighthaveexistingnetworkservicesthatauthenticateusers.Theseservicesinclude
wirelesscontrollers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,andotherNetwork
AccessControl(NAC)mechanisms.Youcanconfiguretheseservicestosendsyslogmessagesthatcontain
informationaboutloginandlogouteventsandconfiguretheUserIDagenttoparsethosemessages.The
UserIDagentparsesforlogineventstomapIPaddressestousernamesandparsesforlogouteventsto
deleteoutdatedmappings.DeletingoutdatedmappingsisparticularlyusefulinenvironmentswhereIP
addressassignmentschangeoften.
BoththePANOSintegratedUserIDagentandWindowsbasedUserIDagentuseSyslogParseprofilesto
parsesyslogmessages.Inenvironmentswhereservicessendthemessagesindifferentformats,youcan
createacustomprofileforeachformatandassociatemultipleprofileswitheachsyslogsender.Ifyouuse
thePANOSintegratedUserIDagent,youcanalsousepredefinedSyslogParseprofilesthatPaloAlto
NetworksprovidesthroughApplicationscontentupdates.
SyslogmessagesmustmeetthefollowingcriteriaforaUserIDagenttoparsethem:
Eachmessagemustbeasinglelinetextstring.Thealloweddelimitersforlinebreaksareanewline(\n)
oracarriagereturnplusanewline(\r\n).
Themaximumsizeforindividualmessagesis2,048bytes.
MessagessentoverUDPmustbecontainedinasinglepacket;messagessentoverSSLcanspanmultiple
packets.Asinglepacketmightcontainmultiplemessages.
SeeConfigureUserIDtoMonitorSyslogSendersforUserMappingforconfigurationdetails.
Figure:UserIDIntegrationwithSyslog
GlobalProtect
Formobileorroamingusers,theGlobalProtectclientprovidestheusermappinginformationtothefirewall
directly.Inthiscase,everyGlobalProtectuserhasanagentorapprunningontheclientthatrequiresthe
usertoenterlogincredentialsforVPNaccesstothefirewall.Thislogininformationisthenaddedtothe
UserIDusermappingtableonthefirewallforvisibilityanduserbasedsecuritypolicyenforcement.Because
GlobalProtectusersmustauthenticatetogainaccesstothenetwork,theIPaddresstousernamemapping
isexplicitlyknown.Thisisthebestsolutioninsensitiveenvironmentswhereyoumustbecertainofwhoa
userisinordertoallowaccesstoanapplicationorservice.FormoreinformationonsettingupGlobalProtect,
refertotheGlobalProtectAdministratorsGuide.
XMLAPI
CaptivePortalandtheotherstandardusermappingmethodsmightnotworkforcertaintypesofuseraccess.
Forexample,thestandardmethodscannotaddmappingsofusersconnectingfromathirdpartyVPN
solutionorusersconnectingtoa802.1xenabledwirelessnetwork.Forsuchcases,youcanusethePANOS
XMLAPItocapturelogineventsandsendthemtothePANOSintegratedUserIDagent.SeeSendUser
MappingstoUserIDUsingtheXMLAPIfordetails.
ClientProbing
InaMicrosoftWindowsenvironment,youcanconfiguretheUserIDagenttoprobeclientsystemsusing
WindowsManagementInstrumentation(WMI)and/orNetBIOSprobingatregularintervalstoverifythatan
existingusermappingisstillvalidortoobtaintheusernameforanIPaddressthatisnotyetmapped.
NetBIOSprobingisonlysupportedontheWindowsbasedUserIDagent;itisnotsupportedonthePANOS
integratedUserIDagent.
ClientprobingwasdesignedforlegacynetworkswheremostuserswereonWindowsworkstationsonthe
internalnetwork,butisnotidealfortodaysmoremodernnetworksthatsupportaroamingandmobileuser
baseonavarietyofdevicesandoperatingsystems.Additionally,clientprobingcangeneratealargeamount
ofnetworktraffic(basedonthetotalnumberofmappedIPaddresses)andcanposeasecuritythreatwhen
misconfigured.Therefore,clientprobingisnolongerarecommendedmethodforusermapping.Instead
collectusermappinginformationfrommoreisolatedandtrustedsources,suchasdomaincontrollersand
throughintegrationswithSyslogortheXMLAPI,whichallowyoutosafelycaptureusermapping
informationfromanydevicetypeoroperatingsystem.Ifyouhavesensitiveapplicationsthatrequireyouto
knowexactlywhoauseris,configureAuthenticationPolicyandCaptivePortaltoensurethatyouareonly
allowingaccesstoauthorizedusers.
BecauseWMIprobingtrustsdatareportedbackfromtheendpoint,itisnotarecommendedmethodofobtaining
UserIDinformationinahighsecuritynetwork.IfyouareusingtheUserIDagenttoparseADsecurityevent
logs,syslogmessages,ortheXMLAPItoobtainUserIDmappings,PaloAltoNetworksrecommendsdisabling
WMIprobing.
IfyoudochoosetouseWMIprobing,donotenableitonexternal,untrustedinterfaces,asthiswouldcausethe
agenttosendWMIprobescontainingsensitiveinformationsuchastheusername,domainname,andpassword
hashoftheUserIDagentserviceaccountoutsideofyournetwork.Thisinformationcouldpotentiallybe
exploitedbyanattackertopenetratethenetworktogainfurtheraccess.
Ifyoudochoosetoenableprobinginyourtrustedzones,theagentwillprobeeachlearnedIPaddress
periodically(every20minutesbydefault,butthisisconfigurable)toverifythatthesameuserisstilllogged
in.Inaddition,whenthefirewallencountersanIPaddressforwhichithasnousermapping,itwillsendthe
addresstotheagentforanimmediateprobe.
SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthe
PANOSIntegratedUserIDAgentfordetails.
EnableUserID
Theuseridentity,asopposedtoanIPaddress,isanintegralcomponentofaneffectivesecurity
infrastructure.Knowingwhoisusingeachoftheapplicationsonyournetwork,andwhomayhave
transmittedathreatoristransferringfiles,canstrengthenyoursecuritypolicyandreduceincidentresponse
times.UserIDenablesyoutoleverageuserinformationstoredinawiderangeofrepositoriesforvisibility,
userandgroupbasedpolicycontrol,andimprovedlogging,reporting,andforensics:
ConfigureUserID
ConfigureUserID(Continued)
ConfigureUserID(Continued)
ConfigureUserID(Continued)
MapUserstoGroups
Definingpolicyrulesbasedonusergroupmembershipratherthanindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevergroupmembershipchanges.Thenumberofdistinct
usergroupsthateachfirewallorPanoramacanreferenceacrossallpoliciesvariesbymodel:
VM50,VM100,VM300,PA200,PA220,PA500,PA800Series,PA3020,andPA3050firewalls:
1,000groups
VM500,VM700,PA5020,PA5050,PA5060,PA5200Series,andPA7000Seriesfirewalls,andall
Panoramamodels:10,000groups
UsethefollowingproceduretoenablethefirewalltoconnecttoyourLDAPdirectoryandretrieveGroup
Mappinginformation.YoucanthenEnableUserandGroupBasedPolicy.
ThefollowingarebestpracticesforgroupmappinginanActiveDirectory(AD)environment:
Ifyouhaveasingledomain,youneedonlyonegroupmappingconfigurationwithanLDAPserverprofile
thatconnectsthefirewalltothedomaincontrollerwiththebestconnectivity.Youcanadduptofour
domaincontrollerstotheLDAPserverprofileforfaulttolerance.Notethatyoucannotincrease
redundancybeyondfourdomaincontrollersforasingledomainbyaddingmultiplegroupmapping
configurationsforthatdomain.
Ifyouhavemultipledomainsand/ormultipleforests,youmustcreateagroupmappingconfiguration
withanLDAPserverprofilethatconnectsthefirewalltoadomainserverineachdomain/forest.Take
stepstoensureuniqueusernamesinseparateforests.
IfyouhaveUniversalGroups,createanLDAPserverprofiletoconnecttotheGlobalCatalogserver.
MapUserstoGroups
MapUserstoGroups(Continued)
Step2 Configuretheserversettingsinagroup 1. SelectDevice > User Identification > Group Mapping Settings.
mappingconfiguration. 2. Addthegroupmappingconfiguration.
3. EnterauniqueNametoidentifythegroupmapping
configuration.
4. SelecttheLDAPServer Profileyoujustcreated.
5. (Optional)Bydefault,theUser Domainfieldisblank:the
firewallautomaticallydetectsthedomainnamesforActive
Directory(AD)servers.Ifyouenteravalue,itoverridesany
domainnamesthatthefirewallretrievesfromtheLDAP
source.YourentrymustbetheNetBIOSdomainname.
6. (Optional)Tofilterthegroupsthatthefirewalltracksfor
groupmapping,intheGroupObjectssection,enteraSearch
Filter(LDAPquery),Object Class(groupdefinition),Group
Name,andGroup Member.
7. (Optional)Tofiltertheusersthatthefirewalltracksforgroup
mapping,intheUserObjectssection,enteraSearch Filter
(LDAPquery),Object Class(userdefinition),andUser Name.
8. (Optional)TomatchUserIDinformationwithemailheader
informationidentifiedinthelinksandattachmentsofemails
forwardedtoWildFire,enterthelistofemaildomains
(Domain List)inyourorganization.Usecommastoseparate
multipledomains(upto256characters).
AfteryouclickOK(laterinthisprocedure),PANOS
automaticallypopulatestheMail Attributesbasedonthetype
ofLDAPserverspecifiedintheServer Profile.Whenamatch
occurs,theusernameintheWildFirelogemailheadersection
willcontainalinkthatopenstheACCtab,filteredbyuseror
usergroup.
9. MakesurethegroupmappingconfigurationisEnabled
(defaultisenabled).
MapUserstoGroups(Continued)
MapIPAddressestoUsers
UserIDprovidesmanydifferentmethodsformappingIPaddressestousernames.Beforeyoubegin
configuringusermapping,considerwhereyourusersarelogginginfrom,whatservicestheyareaccessing,
andwhatapplicationsanddatayouneedtocontrolaccessto.Thiswillinformwhichtypesofagentsor
integrationswouldbestallowyoutoidentifyyourusers.Forguidance,refertoArchitectingUser
IdentificationDeployments.
Onceyouhaveyourplan,youcanbeginconfiguringusermappingusingoneormoreofthefollowing
methodsasneededtoenableuserbasedaccessandvisibilitytoapplicationsandresources:
TomapusersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,or
WindowsclientsyoumustconfigureaUserIDagent:
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent
ConfigureUserMappingUsingtheWindowsUserIDAgent
IfyouhaveclientsrunningmultiusersystemsinaWindowsenvironment,suchasMicrosoftTerminal
ServerorCitrixMetaframePresentationServerorXenApp,ConfigurethePaloAltoNetworksTerminal
ServicesAgentforUserMapping.ForamultiusersystemthatdoesntrunonWindows,youcan
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI.
Toobtainusermappingsfromexistingnetworkservicesthatauthenticateuserssuchaswireless
controllers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccess
Control(NAC)mechanismsConfigureUserIDtoMonitorSyslogSendersforUserMapping.
WhileyoucanconfigureeithertheWindowsagentorthePANOSintegratedUserIDagenton
thefirewalltolistenforauthenticationsyslogmessagesfromthenetworkservices,becauseonly
thePANOSintegratedagentsupportssysloglisteningoverTLS,itisthepreferredconfiguration.
Ifyouhaveuserswithclientsystemsthatarentloggedintoyourdomainserversforexample,users
runningLinuxclientsthatdontlogintothedomainyoucanMapIPAddressestoUsernamesUsing
CaptivePortal.UsingCaptivePortalinconjunctionwithAuthenticationPolicyalsoensuresthatallusers
authenticatetoaccessyourmostsensitiveapplicationsanddata.
Forotherclientsthatyoucantmapusingtheothermethods,youcanSendUserMappingstoUserID
UsingtheXMLAPI.
Alargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsqueryforuserandgroup
mappingandcanhavenumerousfirewallsthatenforcepoliciesbasedonthemappinginformation.You
cansimplifyUserIDadministrationforsuchanetworkbyaggregatingthemappinginformationbefore
theUserIDagentscollectit.Youcanalsoreducetheresourcesthatthefirewallsandinformation
sourcesuseinthequeryingprocessbyconfiguringsomefirewallstoredistributethemapping
information.Fordetails,seeDeployUserIDinaLargeScaleNetwork.
CreateaDedicatedServiceAccountfortheUserIDAgent
IfyouplantouseeithertheWindowsbasedUserIDagentorthePANOSintegratedUserIDagenttomap
usersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,orWindowsclients,
youmustcreateadedicatedserviceaccountfortheUserIDagentonadomaincontrollerineachdomain
thattheagentwillmonitor.
Therequiredpermissionsfortheserviceaccountdependonwhatusermappingmethodsandsettingsyou
plantouse.ToreducetheriskassociatedwithcompromiseoftheUserIDserviceaccount,alwaysconfigure
theaccountwiththeminimumsetofpermissionsnecessaryfortheagenttofunctionproperly.
UserIDprovidesmanymethodsforsafelycollectingusermappinginformation.Someofthelegacyfeatures,
whichweredesignedforenvironmentsthatonlyrequiredmappingofusersonWindowsdesktopsattachedto
thelocalnetwork,requireprivilegedserviceaccounts.Intheeventthattheprivilegedserviceaccountis
compromised,thiswouldopenyournetworktoattack.Asabestpractice,avoidusingtheselegacyfeaturessuch
asclientprobing,NTLMauthentication,andsessionmonitoringthatrequireprivilegesthatwouldposeathreat
ifcompromised.ThefollowingworkflowdetailsallprivilegesrequiredandprovideguidanceastowhichUserID
featuresrequireprivilegesthatcouldposeathreatsothatyoucandecidehowtobestidentifyuserswithout
compromisingyouroverallsecurityposture.
CreateaDedicatedServiceAccountfortheUserIDAgent
CreateaDedicatedServiceAccountfortheUserIDAgent(Continued)
CreateaDedicatedServiceAccountfortheUserIDAgent(Continued)
ConfigureUserMappingUsingtheWindowsUserIDAgent
Inmostcases,themajorityofyournetworkuserswillhaveloginstoyourmonitoreddomainservices.For
theseusers,thePaloAltoNetworksUserIDagentmonitorstheserversforlogineventsandperformsthe
IPaddresstousernamemapping.ThewayyouconfiguretheUserIDagentdependsonthesizeofyour
environmentandthelocationofyourdomainservers.Asabestpractice,locateyourUserIDagentsnear
theserversitwillmonitor(thatis,themonitoredserversandtheWindowsUserIDagentshouldnotbe
acrossaWANlinkfromeachother).Thisisbecausemostofthetrafficforusermappingoccursbetweenthe
agentandthemonitoredserver,withonlyasmallamountoftrafficthedeltaofusermappingssincethe
lastupdatefromtheagenttothefirewall.
ThefollowingtopicsdescribehowtoinstallandconfiguretheUserIDAgentandhowtoconfigurethe
firewalltoretrieveusermappinginformationfromtheagent:
InstalltheWindowsBasedUserIDAgent
ConfiguretheWindowsBasedUserIDAgentforUserMapping
InstalltheWindowsBasedUserIDAgent
ThefollowingprocedureshowshowtoinstalltheUserIDagentonamemberserverinthedomainandset
uptheserviceaccountwiththerequiredpermissions.Ifyouareupgrading,theinstallerwillautomatically
removetheolderversion,however,itisagoodideatobackuptheconfig.xmlfilebeforerunningtheinstaller.
ForinformationaboutthesystemrequirementsforinstallingtheWindowsbasedUserIDagent
andforinformationonsupportedserverOSversions,refertothePaloAltoNetworks
CompatibilityMatrix.
InstalltheWindowsUserIDAgent
InstalltheWindowsUserIDAgent(Continued)
InstalltheWindowsUserIDAgent(Continued)
InstalltheWindowsUserIDAgent(Continued)
Step9 ConfigureCredentialDetectionwiththeWindowsbasedUserIDAgent.
TousetheWindowsbasedUserIDagenttodetectcredentialsubmissionsandPreventCredentialPhishing,
youmustinstalltheUserIDcredentialserviceontheWindowsbasedUserIDagent.Youcanonlyinstallthis
addononareadonlydomaincontroller(RODC).
ConfiguretheWindowsBasedUserIDAgentforUserMapping
ThePaloAltoNetworksUserIDagentisaWindowsservicethatconnectstoserversonyournetworkfor
example,ActiveDirectoryservers,MicrosoftExchangeservers,andNovelleDirectoryserversand
monitorsthelogsforloginevents.TheagentusesthisinformationtomapIPaddressestousernames.Palo
AltoNetworksfirewallsconnecttotheUserIDagenttoretrievethisusermappinginformation,enabling
visibilityintouseractivitybyusernameratherthanIPaddressandenablesuserandgroupbasedsecurity
enforcement.
ForinformationabouttheserverOSversionssupportedbytheUserIDagent,refertoOperating
System(OS)CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
MAPIPADDRESSESTOUSERSUSINGTHEWINDOWSBASEDUSERIDAGENT
MAPIPADDRESSESTOUSERSUSINGTHEWINDOWSBASEDUSERIDAGENT(Continued)
MAPIPADDRESSESTOUSERSUSINGTHEWINDOWSBASEDUSERIDAGENT(Continued)
MAPIPADDRESSESTOUSERSUSINGTHEWINDOWSBASEDUSERIDAGENT(Continued)
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent
ThefollowingprocedureshowshowtoconfigurethePANOSintegratedUserIDagentonthefirewallfor
IPaddresstousernamemapping.TheintegratedUserIDagentperformsthesametasksasthe
WindowsbasedagentwiththeexceptionofNetBIOSclientprobing(WMIprobingissupported).
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
ConfigureUserIDtoMonitorSyslogSendersforUserMapping
ToobtainIPaddresstousernamemappingsfromexistingnetworkservicesthatauthenticateusers,youcan
configurethePANOSintegratedUserIDagentorWindowsbasedUserIDagenttoparseSyslogmessages
fromthoseservices.Tokeepusermappingsuptodate,youcanalsoconfiguretheUserIDagenttoparse
syslogmessagesforlogouteventssothatthefirewallautomaticallydeletesoutdatedmappings.
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener
ConfiguretheWindowsUserIDAgentasaSyslogListener
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener
ToconfigurethePANOSIntegratedUserIDagenttocreatenewusermappingsandremoveoutdated
mappingsthroughsyslogmonitoring,startbydefiningSyslogParseprofiles.TheUserIDagentusesthe
profilestofindloginandlogouteventsinsyslogmessages.Inenvironmentswheresyslogsenders(the
networkservicesthatauthenticateusers)deliversyslogmessagesindifferentformats,configureaprofilefor
eachsyslogformat.SyslogmessagesmustmeetcertaincriteriaforaUserIDagenttoparsethem(see
Syslog).Thisprocedureusesexampleswiththefollowingformats:
Loginevents[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1
Source:192.168.3.212
AfterconfiguringtheSyslogParseprofiles,youspecifysyslogsendersfortheUserIDagenttomonitor.
ThePANOSintegratedUserIDagentacceptssyslogsoverSSLandUDPonly.However,youmustusecaution
whenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandassuchthereisnowayto
verifythatamessagewassentfromatrustedsyslogsender.Althoughyoucanrestrictsyslogmessagestospecific
sourceIPaddresses,anattackercanstillspooftheIPaddress,potentiallyallowingtheinjectionofunauthorized
syslogmessagesintothefirewall.Asabestpractice,alwaysuseSSLtolistenforsyslogmessages.However,if
youmustuseUDP,makesurethatthesyslogsenderandclientarebothonadedicated,securenetworkto
preventuntrustedhostsfromsendingUDPtraffictothefirewall.
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener(Continued)
4. ClickOKtwicetosavetheprofile.
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener(Continued)
6. ClickOKtwicetosavetheprofile.
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener(Continued)
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener(Continued)
ConfiguretheWindowsUserIDAgentasaSyslogListener
ToconfiguretheWindowsbasedUserIDagenttocreatenewusermappingsandremoveoutdated
mappingsthroughsyslogmonitoring,startbydefiningSyslogParseprofiles.TheUserIDagentusesthe
profilestofindloginandlogouteventsinsyslogmessages.Inenvironmentswheresyslogsenders(the
networkservicesthatauthenticateusers)deliversyslogmessagesindifferentformats,configureaprofilefor
eachsyslogformat.SyslogmessagesmustmeetcertaincriteriaforaUserIDagenttoparsethem(see
Syslog).Thisprocedureusesexampleswiththefollowingformats:
Loginevents[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1
Source:192.168.3.212
AfterconfiguringtheSyslogParseprofiles,youspecifythesyslogsendersthattheUserIDagentmonitors.
TheWindowsUserIDagentacceptssyslogsoverTCPandUDPonly.However,youmustuse
cautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassentfromatrustedsyslogsender.Althoughyou
canrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstillspooftheIP
address,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothefirewall.Asa
bestpractice,useTCPinsteadofUDP.Ineithercase,makesurethatthesyslogsenderandclient
arebothonadedicated,secureVLANtopreventuntrustedhostsfromsendingsyslogstothe
UserIDagent.
ConfiguretheWindowsBasedUserIDAgenttoCollectUserMappingsfromSyslogSenders
ConfiguretheWindowsBasedUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
4. ClickOKtwicetosavetheprofile.
ConfiguretheWindowsBasedUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
6. ClickOKtwicetosavetheprofile.
ConfiguretheWindowsBasedUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
MapIPAddressestoUsernamesUsingCaptivePortal
Whenauserinitiateswebtraffic(HTTPorHTTPS)thatmatchesanAuthenticationPolicyrule,thefirewall
promptstheusertoauthenticatethroughCaptivePortal.Thisensuresthatyouknowexactlywhois
accessingyourmostsensitiveapplicationsanddata.Basedonuserinformationcollectedduring
authentication,thefirewallcreatesanewIPaddresstousernamemappingorupdatestheexistingmapping
forthatuser.Thismethodofusermappingisusefulinenvironmentswherethefirewallcannotlearn
mappingsthroughothermethodssuchasmonitoringservers.Forexample,youmighthaveuserswhoare
notloggedintoyourmonitoreddomainservers,suchasusersonLinuxclients.
CaptivePortalAuthenticationMethods
CaptivePortalModes
ConfigureCaptivePortal
CaptivePortalAuthenticationMethods
CaptivePortalusesthefollowingmethodstoauthenticateuserswhosewebrequestsmatchAuthentication
Policyrules:
AuthenticationMethod Description
KerberosSSO ThefirewallusesKerberossinglesignon(SSO)totransparentlyobtainuser
credentialsfromthebrowser.Tousethismethod,yournetworkrequiresa
Kerberosinfrastructure,includingakeydistributioncenter(KDC)withan
authenticationserverandticketgrantingservice.Thefirewallmusthavea
Kerberosaccount.
IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLANManager
(NTLM)authentication.IfyoudontconfigureNTLM,orNTLMauthentication
fails,thefirewallfallsbacktowebformorclientcertificateauthentication,
dependingonyourAuthenticationpolicyandCaptivePortalconfiguration.
KerberosSSOispreferabletoNTLMauthentication.Kerberosisa
stronger,morerobustauthenticationmethodthanNTLManditdoesnot
requirethefirewalltohaveanadministrativeaccounttojointhedomain.
NTLANManager(NTLM) Thefirewallusesanencryptedchallengeresponsemechanismtoobtaintheuser
credentialsfromthebrowser.Whenconfiguredproperly,thebrowserwill
transparentlyprovidethecredentialstothefirewallwithoutpromptingtheuser,
butwillpromptforcredentialsifnecessary.
IfyouusetheWindowsbasedUserIDagent,NTLMresponsesgodirectlytothe
domaincontrollerwhereyouinstalledtheagent.
IfyouconfigureKerberosSSOauthentication,thefirewalltriesthatmethodfirst
beforefallingbacktoNTLMauthentication.IfthebrowsercantperformNTLM
orifNTLMauthenticationfails,thefirewallfallsbacktowebformorclient
certificateauthentication,dependingonyourAuthenticationpolicyandCaptive
Portalconfiguration.
MicrosoftInternetExplorersupportsNTLMbydefault.YoucanconfigureMozilla
FirefoxandGoogleChrometoalsouseNTLMbutyoucantuseNTLMto
authenticatenonWindowsclients.
AuthenticationMethod Description
WebForm Thefirewallredirectswebrequeststoawebformforauthentication.Forthis
method,youcanconfigureAuthenticationpolicytouseMultiFactor
Authentication(MFA),SAML,Kerberos,TACACS+,RADIUS,orLDAP
authentication.Althoughusershavetomanuallyentertheirlogincredentials,this
methodworkswithallbrowsersandoperatingsystems.
ClientCertificateAuthentication Thefirewallpromptsthebrowsertopresentavalidclientcertificateto
authenticatetheuser.Tousethismethod,youmustprovisionclientcertificates
oneachusersystemandinstallthetrustedcertificateauthority(CA)certificate
usedtoissuethosecertificatesonthefirewall.
CaptivePortalModes
TheCaptivePortalmodedefineshowthefirewallcaptureswebrequestsforauthentication:
Mode Description
Transparent ThefirewallinterceptsthebrowsertrafficpertheAuthenticationpolicyruleand
impersonatestheoriginaldestinationURL,issuinganHTTP401toinvoke
authentication.However,becausethefirewalldoesnothavetherealcertificate
forthedestinationURL,thebrowserdisplaysacertificateerrortousers
attemptingtoaccessasecuresite.Therefore,usethismodeonlywhenabsolutely
necessary,suchasinLayer 2orvirtualwiredeployments.
Redirect ThefirewallinterceptsunknownHTTPorHTTPSsessionsandredirectsthemto
aLayer 3interfaceonthefirewallusinganHTTP302redirecttoperform
authentication.Thisisthepreferredmodebecauseitprovidesabetterenduser
experience(nocertificateerrors).However,itdoesrequireadditionalLayer3
configuration.AnotherbenefitoftheRedirectmodeisthatitprovidesfortheuse
ofsessioncookies,whichenabletheusertocontinuebrowsingtoauthenticated
siteswithoutrequiringremappingeachtimethetimeoutsexpire.Thisis
especiallyusefulforuserswhoroamfromoneIPaddresstoanother(forexample,
fromthecorporateLANtothewirelessnetwork)becausetheywontneedto
reauthenticatewhentheIPaddresschangesaslongasthesessionstaysopen.
IfyouuseKerberosSSOorNTLMauthentication,youmustuseRedirectmode
becausethebrowserwillprovidecredentialsonlytotrustedsites.Redirectmode
isalsorequiredifyouuseMultiFactorAuthenticationtoauthenticateCaptive
Portalusers.
ConfigureCaptivePortal
ThefollowingprocedureshowshowtosetupCaptivePortalauthenticationbyconfiguringthePANOS
integratedUserIDagenttoredirectwebrequeststhatmatchanAuthenticationPolicyruletoafirewall
interface(redirecthost).Basedontheirsensitivity,theapplicationsthatusersaccessthroughCaptivePortal
requiredifferentauthenticationmethodsandsettings.Toaccommodateallauthenticationrequirements,
youcanusedefaultandcustomauthenticationenforcementobjects.Eachobjectassociatesan
AuthenticationrulewithanauthenticationprofileandaCaptivePortalauthenticationmethod.
DefaultauthenticationenforcementobjectsUsethedefaultobjectsifyouwanttoassociatemultiple
Authenticationruleswiththesameglobalauthenticationprofile.Youmustconfigurethisauthentication
profilebeforeconfiguringCaptivePortal,andthenassignitintheCaptivePortalSettings.For
AuthenticationrulesthatrequireMultiFactorAuthentication(MFA),youcannotusedefault
authenticationenforcementobjects.
CustomauthenticationenforcementobjectsUseacustomobjectforeachAuthenticationrulethat
requiresanauthenticationprofilethatdiffersfromtheglobalprofile.Customobjectsaremandatoryfor
AuthenticationrulesthatrequireMFA.Tousecustomobjects,createauthenticationprofilesandassign
themtotheobjectsafterconfiguringCaptivePortalwhenyouConfigureAuthenticationPolicy.
KeepinmindthatauthenticationprofilesarenecessaryonlyifusersauthenticatethroughaCaptivePortal
WebForm,KerberosSSO,orNTLANManager(NTLM).Alternatively,orinadditiontothesemethods,the
followingprocedurealsodescribeshowtoimplementClientCertificateAuthentication.
IfyouuseCaptivePortalwithouttheotherUserIDfunctions(usermappingandgroupmapping),
youdontneedtoconfigureaUserIDagent.
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step6 ConfiguretheCaptivePortalsettings. 1. SelectDevice > User Identification > Captive Portal Settings
andeditthesettings.
2. Enable Captive Portal(defaultisenabled).
3. SpecifytheTimer,whichisthemaximumtimeinminutesthat
thefirewallretainsanIPaddresstousernamemappingfora
userafterthatuserauthenticatesthroughCaptivePortal
(defaultis60;rangeis1to1,440).AftertheTimerexpires,the
firewallremovesthemappingandanyassociated
AuthenticationTimestampsusedtoevaluatetheTimeoutin
Authenticationpolicyrules.
WhenevaluatingtheCaptivePortalTimerandthe
TimeoutvalueineachAuthenticationpolicyrule,the
firewallpromptstheusertoreauthenticatefor
whicheversettingexpiresfirst.Upon
reauthenticating,thefirewallresetsthetimecount
fortheCaptivePortalTimerandrecordsnew
authenticationtimestampsfortheuser.Therefore,to
enabledifferentTimeoutperiodsfordifferent
Authenticationrules,settheCaptivePortalTimertoa
valuethesameasorhigherthananyruleTimeout.
4. SelecttheSSL/TLS Service Profileyoucreatedforredirect
requestsoverTLS.SeeConfigureanSSL/TLSServiceProfile.
5. SelecttheMode(inthisexample,Redirect).
6. (Redirectmodeonly)SpecifytheRedirect Host,whichisthe
intranethostname(ahostnamewithnoperiodinitsname)
thatresolvestotheIPaddressoftheLayer3interfaceonthe
firewalltowhichwebrequestsareredirected.
IfusersauthenticatethroughKerberossinglesignon
(SSO),theRedirect Hostmustbethesameasthe
hostnamespecifiedintheKerberoskeytab.
7. SelecttheauthenticationmethodtouseifNTLMfails(orif
youdontuseNTLM):
Touseclientcertificateauthentication,selectthe
Certificate Profileyoucreated.
TouseglobalsettingsforinteractiveorSSOauthentication,
selecttheAuthentication Profileyouconfigured.
TouseAuthenticationpolicyrulespecificsettingsfor
interactiveorSSOauthentication,assignauthentication
profilestoauthenticationenforcementobjectswhenyou
ConfigureAuthenticationPolicy.
8. ClickOKandCommittheCaptivePortalconfiguration.
ConfigureUserMappingforTerminalServerUsers
IndividualterminalserverusersappeartohavethesameIPaddressandthereforeanIP
addresstousernamemappingisnotsufficienttoidentifyaspecificuser.Toenableidentificationofspecific
usersonWindowsbasedterminalservers,thePaloAltoNetworksTerminalServicesagent(TSagent)
allocatesaportrangetoeachuser.Itthennotifieseveryconnectedfirewallabouttheallocatedportrange,
whichallowsthefirewalltocreateanIPaddressportusermappingtableandenableuserandgroupbased
securitypolicyenforcement.FornonWindowsterminalservers,youcanconfigurethePANOSXMLAPIto
extractusermappinginformation.
Thefollowingsectionsdescribehowtoconfigureusermappingforterminalserverusers:
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
UsethefollowingproceduretoinstallandconfiguretheTSagentontheterminalserver.Tomapallyour
users,youmustinstalltheTSagentonallterminalserversthatyourusersloginto.
ForinformationaboutthesupportedterminalserverssupportedbytheTSAgent,refertothe
PaloAltoNetworksCompatibilityMatrix.
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ThePANOSXMLAPIusesstandardHTTPrequeststosendandreceivedata.APIcallscanbemadedirectly
fromcommandlineutilitiessuchascURLorusinganyscriptingorapplicationframeworkthatsupports
RESTfulservices.
ToenableanonWindowsterminalservertosendusermappinginformationdirectlytothefirewall,create
scriptsthatextracttheuserloginandlogouteventsandusethemforinputtothePANOSXMLAPIrequest
format.ThendefinethemechanismsforsubmittingtheXMLAPIrequest(s)tothefirewallusingcURLor
wgetandprovidingthefirewallsAPIkeyforsecurecommunication.Creatingusermappingsfrommultiuser
systemssuchasterminalserversrequiresuseofthefollowingAPImessages:
<multiusersystem>SetsuptheconfigurationforanXMLAPIMultiuserSystemonthefirewall.
ThismessageallowsfordefinitionoftheterminalserverIPaddress(thiswillbethesourceaddressforall
usersonthatterminalserver).Inaddition,the<multiusersystem>setupmessagespecifiestherangeof
sourceportnumberstoallocateforusermappingandthenumberofportstoallocatetoeachindividual
useruponlogin(calledtheblocksize).Ifyouwanttousethedefaultsourceportallocationrange
(102565534)andblocksize(200),youdonotneedtosenda<multiusersystem>setupeventtothe
firewall.Instead,thefirewallwillautomaticallygeneratetheXMLAPIMultiuserSystemconfiguration
withthedefaultsettingsuponreceiptofthefirstuserlogineventmessage.
<blockstart>Usedwiththe<login>and<logout>messagestoindicatethestartingsourceport
numberallocatedtotheuser.Thefirewallthenusestheblocksizetodeterminetheactualrangeofport
numberstomaptotheIPaddressandusernameintheloginmessage.Forexample,ifthe<blockstart>
valueis13200andtheblocksizeconfiguredforthemultiusersystemis300,theactualsourceport
rangeallocatedtotheuseris13200through13499.Eachconnectioninitiatedbytheusershouldusea
uniquesourceportnumberwithintheallocatedrange,enablingthefirewalltoidentifytheuserbasedon
itsIPaddressportusermappingsforenforcementofuserandgroupbasedsecurityrules.Whenauser
exhaustsalltheportsallocated,theterminalservermustsendanew<login>messageallocatinganew
portrangefortheusersothatthefirewallcanupdatetheIPaddressportusermapping.Inaddition,a
singleusernamecanhavemultipleblocksofportsmappedsimultaneously.Whenthefirewallreceivesa
<logout>messagethatincludesa<blockstart>parameter,itremovesthecorrespondingIP
addressportusermappingfromitsmappingtable.Whenthefirewallreceivesa<logout>messagewith
ausernameandIPaddress,butno<blockstart>,itremovestheuserfromitstable.And,ifthefirewall
receivesa<logout>messagewithanIPaddressonly,itremovesthemultiusersystemandallmappings
associatedwithit.
TheXMLfilesthattheterminalserversendstothefirewallcancontainmultiplemessagetypes
andthemessagesdonotneedtobeinanyparticularorderwithinthefile.However,upon
receivinganXMLfilethatcontainsmultiplemessagetypes,thefirewallwillprocesstheminthe
followingorder:multiusersystemrequestsfirst,followedbylogins,thenlogouts.
ThefollowingworkflowprovidesanexampleofhowtousethePANOSXMLAPItosendusermappings
fromanonWindowsterminalservertothefirewall.
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers
APIisavailabletoall Thefirewallrespondswithamessagecontainingthekey,forexample:
administrators(including <response status="success">
rolebasedadministrators <result>
withXMLAPIprivileges <key>k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg=</key>
enabled). </result>
NOTE:Anyspecialcharacters </response>
inthepasswordmustbe
URL/percentencoded.
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
terminalserverandthatthe Similarly,thescriptsyoucreateshouldalsoensurethattheIPtablerouting
mappingisremovedwhen configurationdynamicallyremovestheSNATmappingwhentheuserlogsout
theuserlogsoutortheport ortheportallocationchanges:
allocationchanges. [root@ts1 ~]# iptables -t nat -D POSTROUTING 1
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Total host: 1
SendUserMappingstoUserIDUsingtheXMLAPI
UserIDprovidesmanyoutoftheboxmethodsforobtainingusermappinginformation.However,you
mighthaveapplicationsordevicesthatcaptureuserinformationbutcannotnativelyintegratewithUserID.
Forexample,youmighthaveacustom,internallydevelopedapplicationoradevicethatnostandarduser
mappingmethodsupports.Insuchcases,youcanusethePANOSXMLAPItocreatecustomscriptsthat
sendtheinformationtothePANOSintegratedUserIDagentordirectlytothefirewall.ThePANOSXML
APIusesstandardHTTPrequeststosendandreceivedata.APIcallscanbemadedirectlyfromcommand
lineutilitiessuchascURLorusinganyscriptingorapplicationframeworkthatsupportsPOSTandGET
requests.
ToenableanexternalsystemtosendusermappinginformationtothePANOSintegratedUserIDagent,
createscriptsthatextractuserloginandlogouteventsandusetheeventsasinputtothePANOSXMLAPI
request.ThendefinethemechanismsforsubmittingtheXMLAPIrequeststothefirewall(usingcURL,for
example)andusetheAPIkeyofthefirewallforsecurecommunication.Formoredetails,refertothe
PANOSXMLAPIUsageGuide.
EnableUserandGroupBasedPolicy
AfteryouEnableUserID,youwillbeabletoconfigureSecurityPolicythatappliestospecificusersand
groups.Userbasedpolicycontrolscanalsoincludeapplicationinformation(includingwhichcategoryand
subcategoryitbelongsin,itsunderlyingtechnology,orwhattheapplicationcharacteristicsare).Youcan
definepolicyrulestosafelyenableapplicationsbasedonusersorgroupsofusers,ineitheroutboundor
inbounddirections.
Examplesofuserbasedpoliciesinclude:
EnableonlytheITdepartmenttousetoolssuchasSSH,telnet,andFTPonstandardports.
AllowtheHelpDeskServicesgrouptouseSlack.
AllowalluserstoreadFacebook,butblocktheuseofFacebookapps,andrestrictpostingtoemployees
inmarketing.
EnablePolicyforUserswithMultipleAccounts
Ifauserinyourorganizationhasmultipleresponsibilities,thatusermighthavemultipleusernames
(accounts),eachwithdistinctprivilegesforaccessingaparticularsetofservices,butwithalltheusernames
sharingthesameIPaddress(theclientsystemoftheuser).However,theUserIDagentcanmapanyoneIP
address(orIPaddressandportrangeforterminalserverusers)toonlyoneusernameforenforcingpolicy,
andyoucantpredictwhichusernametheagentwillmap.Tocontrolaccessforalltheusernamesofauser,
youmustmakeadjustmentstotherules,usergroups,andUserIDagent.
Forexample,saythefirewallhasarulethatallowsusernamecorp_usertoaccessemailandarulethatallows
usernameadmin_usertoaccessaMySQLserver.Theuserlogsinwitheitherusernamefromthesameclient
IPaddress.IftheUserIDagentmapstheIPaddresstocorp_user,thenwhethertheuserlogsinascorp_user
oradmin_user,thefirewallidentifiesthatuserascorp_userandallowsaccesstoemailbutnottheMySQL
server.Ontheotherhand,iftheUserIDagentmapstheIPaddresstoadmin_user,thefirewallalways
identifiestheuserasadmin_userregardlessofloginandallowsaccesstotheMySQLserverbutnotemail.
Thefollowingstepsdescribehowtoenforcebothrulesinthisexample.
EnablePolicyforaUserwithMultipleAccounts
EnablePolicyforaUserwithMultipleAccounts(Continued)
VerifytheUserIDConfiguration
Afteryouconfigureuserandgroupmapping,enableUserIDinyourSecuritypolicy,andconfigure
Authenticationpolicy,youshouldverifythatUserIDworksproperly.
VerifytheUserIDConfiguration
Step1 AccessthefirewallCLI.
VerifytheUserIDConfiguration(Continued)
DeployUserIDinaLargeScaleNetwork
AlargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsquerytomapIPaddressesto
usernamesandtomapusernamestousergroups.YoucansimplifyUserIDadministrationforsucha
networkbyaggregatingtheusermappingandgroupmappinginformationbeforetheUserIDagentscollect
it,therebyreducingthenumberofrequiredagents.
Alargescalenetworkcanalsohavenumerousfirewallsthatusethemappinginformationtoenforcepolicies.
Youcanreducetheresourcesthatthefirewallsandinformationsourcesuseinthequeryingprocessby
configuringsomefirewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.
Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesfor
authentication(suchasregionaldirectoryservices)butneedaccesstoremoteservicesandapplications(such
asglobaldatacenterapplications).
IfyouConfigureAuthenticationPolicy,yourfirewallsmustalsoredistributetheAuthenticationTimestamps
associatedwithuserresponsestoauthenticationchallenges.Firewallsusethetimestampstoevaluatethe
timeoutsforAuthenticationpolicyrules.Thetimeoutsallowauserwhosuccessfullyauthenticatestolater
requestservicesandapplicationswithoutauthenticatingagainwithinthetimeoutperiods.Redistributing
timestampsenablesyoutoenforceconsistenttimeoutsforeachuserevenifthefirewallthatinitiallygrants
auseraccessisnotthesamefirewallthatlatercontrolsaccessforthatuser.
DeployUserIDforNumerousMappingInformationSources
RedistributeUserMappingsandAuthenticationTimestamps
DeployUserIDforNumerousMappingInformationSources
YoucanuseWindowsLogForwardingandGlobalCatalogserverstosimplifyusermappingandgroup
mappinginalargescalenetworkofMicrosoftActiveDirectory(AD)domaincontrollersorExchangeservers.
ThesemethodssimplifyUserIDadministrationbyaggregatingthemappinginformationbeforetheUserID
agentscollectit,therebyreducingthenumberofrequiredagents.
WindowsLogForwardingandGlobalCatalogServers
PlanaLargeScaleUserIDDeployment
ConfigureWindowsLogForwarding
ConfigureUserIDforNumerousMappingInformationSources
WindowsLogForwardingandGlobalCatalogServers
BecauseeachUserIDagentcanmonitorupto100servers,thefirewallneedsmultipleUserIDagentsto
monitoranetworkwithhundredsofADdomaincontrollersorExchangeservers.Creatingandmanaging
numerousUserIDagentsinvolvesconsiderableadministrativeoverhead,especiallyinexpandingnetworks
wheretrackingnewdomaincontrollersisdifficult.WindowsLogForwardingenablesyoutominimizethe
administrativeoverheadbyreducingthenumberofserverstomonitorandtherebyreducingthenumberof
UserIDagentstomanage.WhenyouconfigureWindowsLogForwarding,multipledomaincontrollers
exporttheirlogineventstoasingledomainmemberfromwhichaUserIDagentcollectstheusermapping
information.
YoucanconfigureWindowsLogForwardingforWindowsServerversions2003,2008,2008R2,
2012,and2012R2.WindowsLogForwardingisnotavailablefornonMicrosoftservers.
Tocollectgroupmappinginformationinalargescalenetwork,youcanconfigurethefirewalltoquerya
GlobalCatalogserverthatreceivesaccountinformationfromthedomaincontrollers.
Thefollowingfigureillustratesusermappingandgroupmappingforalargescalenetworkinwhichthe
firewallusesaWindowsbasedUserIDagent.SeePlanaLargeScaleUserIDDeploymenttodetermineif
thisdeploymentsuitsyournetwork.
PlanaLargeScaleUserIDDeployment
WhendecidingwhethertouseWindowsLogForwardingandGlobalCatalogserversforyourUserID
implementation,consultyoursystemadministratortodetermine:
Bandwidthrequiredfordomaincontrollerstoforwardlogineventstomemberservers.Thebandwidthis
amultipleoftheloginrate(numberofloginsperminute)ofthedomaincontrollersandthebytesizeof
eachloginevent.
Notethatdomaincontrollerswontforwardtheirentiresecuritylogs;theyforwardonlytheeventsthat
theusermappingprocessrequiresperlogin:threeeventsforWindowsServer2003orfoureventsfor
WindowsServer2008/2012andMSExchange.
Whetherthefollowingnetworkelementssupporttherequiredbandwidth:
DomaincontrollersMustsupporttheprocessingloadassociatedwithforwardingtheevents.
MemberServersMustsupporttheprocessingloadassociatedwithreceivingtheevents.
ConnectionsThegeographicdistribution(localorremote)ofthedomaincontrollers,member
servers,andGlobalCatalogserversisafactor.Generally,aremotedistributionsupportsless
bandwidth.
ConfigureWindowsLogForwarding
ToconfigureWindowsLogForwarding,youneedadministrativeprivilegesforconfiguringgrouppolicieson
Windowsservers.ConfigureWindowsLogForwardingoneverymemberserverthatwillcollectloginevents
fromdomaincontrollers.Thefollowingisanoverviewofthetasks;consultyourWindowsServer
documentationforthespecificsteps.
ConfigureWindowsLogForwarding
Step1 Oneverymemberserverthatwillcollectsecurityevents,enableeventcollection,addthedomaincontrollers
aseventsources,andconfiguretheeventcollectionquery(subscription).Theeventsyouspecifyinthe
subscriptionvarybydomaincontrollerplatform:
WindowsServer2003TheeventIDsfortherequiredeventsare672(AuthenticationTicketGranted),
673(ServiceTicketGranted),and674(TicketGrantedRenewed).
WindowsServer2008/2012(includingR2)orMSExchangeTheeventIDsfortherequiredeventsare
4768(AuthenticationTicketGranted),4769(ServiceTicketGranted),4770(TicketGrantedRenewed),and
4624(LogonSuccess).
Youmustforwardeventstothesecuritylogslocationonthememberservers,nottothedefault
forwardedlogslocation.Todoso,ontheWindowsEventCollectorthatisreceivingthelogs,youmust
changethelogpathsothattheForwardedEventsarewrittentotheSecuritylogslocation.
1.OpenEventViewerontheWindowsEventCollector.
2.RightclickontheForwardedEventsfolderandselectProperties.
3.Inlogpath,changethepathfrom
%SystemRoot%\System32\Winevt\Logs\ForwardedEvents.evtxto
%SystemRoot%\System32\Winevt\Logs\security.evtx
Toforwardeventsasquicklyaspossible,selecttheMinimize Latencyoptionwhenconfiguringthe
subscription.
Step2 ConfigureagrouppolicytoenableWindowsRemoteManagement(WinRM)onthedomaincontrollers.
Step3 ConfigureagrouppolicytoenableWindowsEventForwardingonthedomaincontrollers.
ConfigureUserIDforNumerousMappingInformationSources
ConfigureUserIDforNumerousMappingInformationSources
ConfigureUserIDforNumerousMappingInformationSources(Continued)
ConfigureUserIDforNumerousMappingInformationSources(Continued)
Step6 Createagroupmappingconfiguration 1. SelectDevice > User Identification > Group Mapping Settings.
foreachLDAPserverprofileyou 2. ClickAddandenteraNametoidentifythegroupmapping
created. configuration.
3. SelecttheLDAPServer ProfileandensuretheEnabledcheck
boxisselected.
4. Configuretheremainingfieldsasnecessary:seeMapUsersto
Groups.
IftheGlobalCataloganddomainmappingservers
referencemoregroupsthanyoursecurityrules
require,configuretheGroup Include Listand/or
Custom Grouplisttolimitthegroupsforwhich
UserIDperformsmapping.
5. ClickOKandCommit.
RedistributeUserMappingsandAuthenticationTimestamps
Everyfirewallthatenforcesuserbasedpolicyrequiresusermappinginformation.Inalargescalenetwork,
insteadofconfiguringallyourfirewallstodirectlyquerythemappinginformationsources,youcan
streamlineresourceusagebyconfiguringsomefirewallstocollectmappinginformationthrough
redistribution.Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyon
localsourcesforauthentication(suchasregionaldirectoryservices)butneedaccesstoremoteservicesand
applications(suchasglobaldatacenterapplications).
YoucanredistributeusermappinginformationcollectedthroughanymethodexceptTerminalServices(TS)
agents.YoucannotredistributeGroupMappingorHIPmatchinformation.
IfyouusePanoramaandDedicatedLogCollectorstomanagefirewallsandaggregatefirewalllogs,youcanuse
PanoramatomanageUserIDredistribution.LeveragingPanoramaandyourdistributedlogcollection
infrastructureisasimplersolutionthancreatingextraconnectionsbetweenfirewallstoredistributeUserID
information.
IfyouConfigureAuthenticationPolicy,yourfirewallsmustalsoredistributetheAuthenticationTimestamps
thataregeneratedwhenusersauthenticatetoaccessapplicationsandservices.Firewallsusethe
timestampstoevaluatethetimeoutsforAuthenticationpolicyrules.Thetimeoutsallowauserwho
successfullyauthenticatestolaterrequestservicesandapplicationswithoutauthenticatingagainwithinthe
timeoutperiods.Redistributingtimestampsenablesyoutoenforceconsistenttimeoutsacrossallthe
firewallsinyournetwork.
Firewallsshareusermappingsandauthenticationtimestampsaspartofthesameredistributionflow;you
donthavetoconfigureredistributionforeachinformationtypeseparately.
FirewallDeploymentforUserIDRedistribution
ConfigureUserIDRedistribution
FirewallDeploymentforUserIDRedistribution
ToaggregateUserIDinformation,organizetheredistributionsequenceinlayers,whereeachlayerhasone
ormorefirewalls.Inthebottomlayer,PANOSintegratedUserIDagentsrunningonfirewallsand
WindowsbasedUserIDagentsrunningonWindowsserversmapIPaddressestousernames.Eachhigher
layerhasfirewallsthatreceivethemappinginformationandauthenticationtimestampsfromupto100
redistributionpointsinthelayerbeneathit.Thetoplayerfirewallsaggregatethemappingsandtimestamps
fromalllayers.Thisdeploymentprovidestheoptiontoconfigurepoliciesforallusersintoplayerfirewalls
andregionorfunctionspecificpoliciesforasubsetofusersinthecorrespondingdomainsservedby
lowerlayerfirewalls.
Figure:UserIDandTimestampRedistributionshowsadeploymentwiththreelayersoffirewallsthat
redistributemappingsandtimestampsfromlocalofficestoregionalofficesandthentoaglobaldatacenter.
Thedatacenterfirewallthataggregatesalltheinformationsharesitwithotherdatacenterfirewallssothat
theycanallenforcepolicyandgeneratereportsforusersacrossyourentirenetwork.Onlythebottomlayer
firewallsuseUserIDagentstoquerythedirectoryservers.
TheinformationsourcesthattheUserIDagentsquerydonotcounttowardsthemaximumoftenhopsin
thesequence.However,WindowsbasedUserIDagentsthatforwardmappinginformationtofirewallsdo
count.Therefore,inthisexample,redistributionfromtheEuropeanregiontoallthedatacenterfirewalls
requiresonlythreehops,whileredistributionfromtheNorthAmericanregionrequiresfourhops.Alsointhis
example,thetoplayerhastwohops:thefirsttoaggregateinformationinonedatacenterfirewallandthe
secondtosharetheinformationwithotherdatacenterfirewalls.
Figure:UserIDandTimestampRedistribution
ConfigureUserIDRedistribution
BeforeyouconfigureUserIDredistribution:
Plantheredistributionarchitecture.Somefactorstoconsiderare:
Whichfirewallswillenforcepoliciesforallusersandwhichfirewallswillenforceregionor
functionspecificpoliciesforasubsetofusers?
HowmanyhopsdoestheredistributionsequencerequiretoaggregateallUserIDinformation?The
maximumallowednumberofhopsisten.
Howcanyouminimizethenumberoffirewallsthatquerytheusermappinginformationsources?
Thefewerthenumberofqueryingfirewalls,thelowertheprocessingloadisonboththefirewalls
andsources.
ConfigureusermappingusingPANOSIntegratedUserIDagentsorWindowsbasedUserIDAgents.
ConfigureAuthenticationPolicy.
PerformthefollowingstepsonthefirewallsintheUserIDredistributionsequence.
ConfigureUserIDRedistribution
ConfigureUserIDRedistribution(Continued)