PAN 8.0 Admin UID

User-ID
PANOS
Administrators
Guide
Version8.0
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidetakesyouthroughtheconfigurationandmaintenanceofyourPaloAltoNetworksnextgeneration
firewall.Foradditionalinformation,refertothefollowingresources:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama8.0releasenotes,goto
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:July11,2017
2 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
UserID
Theuseridentity,asopposedtoanIPaddress,isanintegralcomponentofaneffectivesecurity
infrastructure.Knowingwhoisusingeachoftheapplicationsonyournetwork,andwhomayhave
transmittedathreatoristransferringfiles,canstrengthensecuritypoliciesandreduceincidentresponse
times.UserID,astandardfeatureonthePaloAltoNetworksfirewall,enablesyoutoleverageuser
informationstoredinawiderangeofrepositories.ThefollowingtopicsprovidemoredetailsaboutUserID
andhowtoconfigureit:
UserIDOverview
UserIDConcepts
EnableUserID
MapUserstoGroups
MapIPAddressestoUsers
EnableUserandGroupBasedPolicy
EnablePolicyforUserswithMultipleAccounts
VerifytheUserIDConfiguration
DeployUserIDinaLargeScaleNetwork
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 407
Copyright 2007-2017 Palo Alto Networks

UserIDOverview UserID
UserIDOverview
UserIDenablesyoutoidentifyallusersonyournetworkusingavarietyoftechniquestoensurethatyou
canidentifyusersinalllocationsusingavarietyofaccessmethodsandoperatingsystems,including
MicrosoftWindows,AppleiOS,MacOS,Android,andLinux/UNIX.Knowingwhoyourusersareinstead
ofjusttheirIPaddressesenables:
VisibilityImprovedvisibilityintoapplicationusagebasedonusersgivesyouamorerelevantpictureof
networkactivity.ThepowerofUserIDbecomesevidentwhenyounoticeastrangeorunfamiliar
applicationonyournetwork.UsingeitherACCorthelogviewer,yoursecurityteamcandiscernwhatthe
applicationis,whotheuseris,thebandwidthandsessionconsumption,alongwiththesourceand
destinationoftheapplicationtraffic,aswellasanyassociatedthreats.
PolicycontrolTyinguserinformationtoSecuritypolicyrulesimprovessafeenablementofapplications
traversingthenetworkandensuresthatonlythoseuserswhohaveabusinessneedforanapplication
haveaccess.Forexample,someapplications,suchasSaaSapplicationsthatenableaccesstoHuman
Resourcesservices(suchasWorkdayorServiceNow)mustbeavailabletoanyknownuseronyour
network.However,formoresensitiveapplicationsyoucanreduceyourattacksurfacebyensuringthat
onlyuserswhoneedtheseapplicationscanaccessthem.Forexample,whileITsupportpersonnelmay
legitimatelyneedaccesstoremotedesktopapplications,themajorityofyourusersdonot.
Logging,reporting,forensicsIfasecurityincidentoccurs,forensicsanalysisandreportingbasedonuser
informationratherthanjustIPaddressesprovidesamorecompletepictureoftheincident.Forexample,
youcanusethepredefinedUser/GroupActivitytoseeasummaryofthewebactivityofindividualusers
orusergroups,ortheSaaSApplicationUsagereporttoseewhichusersaretransferringthemostdata
overunsanctionedSaaSapplications.
Toenforceuserandgroupbasedpolicies,thefirewallmustbeabletomaptheIPaddressesinthepackets
itreceivestousernames.UserIDprovidesmanymechanismstocollectthisUserMappinginformation.For
example,theUserIDagentmonitorsserverlogsforlogineventsandlistensforsyslogmessagesfrom
authenticatingservices.ToidentifymappingsforIPaddressesthattheagentdidntmap,youcanconfigure
AuthenticationPolicytoredirectHTTPrequeststoaCaptivePortallogin.Youcantailortheusermapping
mechanismstosuityourenvironment,andevenusedifferentmechanismsatdifferentsitestoensurethat
youaresafelyenablingaccesstoapplicationsforallusers,inalllocations,allthetime.
Figure:UserID

UserID UserIDOverview
Toenableuserandgroupbasedpolicyenforcement,thefirewallrequiresalistofallavailableusersand
theircorrespondinggroupmembershipssothatyoucanselectgroupswhendefiningyourpolicyrules.The
firewallcollectsGroupMappinginformationbyconnectingdirectlytoyourLDAPdirectoryserver,orusing
XMLAPIintegrationwithyourdirectoryserver.
SeeUserIDConceptsforinformationonhowUserIDworksandEnableUserIDforinstructionsonsetting
upUserID.
UserIDdoesnotworkinenvironmentswherethesourceIPaddressesofusersaresubjectto
NATtranslationbeforethefirewallmapstheIPaddressestousernames.

UserIDConcepts UserID
UserIDConcepts
GroupMapping
UserMapping
GroupMapping
Todefinepolicyrulesbasedonuserorgroup,firstyoucreateanLDAPserverprofilethatdefineshowthe
firewallconnectsandauthenticatestoyourdirectoryserver.Thefirewallsupportsavarietyofdirectory
servers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONEDirectoryServer.The
serverprofilealsodefineshowthefirewallsearchesthedirectorytoretrievethelistofgroupsandthe
correspondinglistofmembers.Ifyouareusingadirectoryserverthatisnotnativelysupportedbythe
firewall,youcanintegratethegroupmappingfunctionusingtheXMLAPI.Youcanthencreateagroup
mappingconfigurationtoMapUserstoGroupsandEnableUserandGroupBasedPolicy.
Definingpolicyrulesbasedongroupmembershipratherthanonindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevernewusersareaddedtoagroup.Whenconfiguring
groupmapping,youcanlimitwhichgroupswillbeavailableinpolicyrules.Youcanspecifygroupsthat
alreadyexistinyourdirectoryserviceordefinecustomgroupsbasedonLDAPfilters.Definingcustom
groupscanbequickerthancreatingnewgroupsorchangingexistingonesonanLDAPserver,anddoesnt
requireanLDAPadministratortointervene.UserIDmapsalltheLDAPdirectoryuserswhomatchthefilter
tothecustomgroup.Forexample,youmightwantasecuritypolicythatallowscontractorsintheMarketing
Departmenttoaccesssocialnetworkingsites.IfnoActiveDirectorygroupexistsforthatdepartment,you
canconfigureanLDAPfilterthatmatchesusersforwhomtheLDAPattributeDepartmentissetto
Marketing.Logqueriesandreportsthatarebasedonusergroupswillincludecustomgroups.
UserMapping
Knowinguserandgroupsnamesisonlyonepieceofthepuzzle.ThefirewallalsoneedstoknowwhichIP
addressesmaptowhichuserssothatsecurityrulescanbeenforcedappropriately.Figure:UserIDillustrates
thedifferentmethodsthatareusedtoidentifyusersandgroupsonyournetworkandshowshowuser
mappingandgroupmappingworktogethertoenableuserandgroupbasedsecurityenforcementand
visibility.Thefollowingtopicsdescribethedifferentmethodsofusermapping:
ServerMonitoring
PortMapping
Syslog
XFFHeaders
AuthenticationPolicyandCaptivePortal
GlobalProtect
XMLAPI
ClientProbing

UserID UserIDConcepts
ServerMonitoring
WithservermonitoringaUserIDagenteitheraWindowsbasedagentrunningonadomainserverinyour
network,ortheintegratedPANOSUserIDagentrunningonthefirewallmonitorsthesecurityeventlogs
forspecifiedMicrosoftExchangeServers,DomainControllers,orNovelleDirectoryserversforloginevents.
Forexample,inanADenvironment,youcanconfiguretheUserIDagenttomonitorthesecuritylogsfor
Kerberosticketgrantsorrenewals,Exchangeserveraccess(ifconfigured),andfileandprintservice
connections.Notethatfortheseeventstoberecordedinthesecuritylog,theADdomainmustbe
configuredtologsuccessfulaccountloginevents.Inaddition,becauseuserscanlogintoanyoftheservers
inthedomain,youmustsetupservermonitoringforallserverstocapturealluserloginevents.See
ConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthePANOS
IntegratedUserIDAgentfordetails.
PortMapping
InenvironmentswithmultiusersystemssuchasMicrosoftTerminalServerorCitrixenvironmentsmany
userssharethesameIPaddress.Inthiscase,theusertoIPaddressmappingprocessrequiresknowledgeof
thesourceportofeachclient.Toperformthistypeofmapping,youmustinstallthePaloAltoNetworks
TerminalServicesAgentontheWindows/Citrixterminalserveritselftointermediatetheassignmentof
sourceportstothevarioususerprocesses.ForterminalserversthatdonotsupporttheTerminalServices
agent,suchasLinuxterminalservers,youcanusetheXMLAPItosendusermappinginformationfromlogin
andlogouteventstoUserID.SeeConfigureUserMappingforTerminalServerUsersforconfiguration
details.
XFFHeaders
UserIDcanreadtheIPv4orIPv6addressesofusersfromtheXForwardedFor(XFF)headerinHTTPclient
requestswhenthefirewallisdeployedbetweentheInternetandaproxyserverthatwouldotherwisehide
theuserIPaddresses.UserIDmatchesthetrueuserIPaddresseswithusernames.SeeConfigurethe
firewalltoobtainuserIPaddressesfromXForwardedFor(XFF)headers.
AuthenticationPolicyandCaptivePortal
Insomecases,theUserIDagentcantmapanIPaddresstoausernameusingservermonitoringorother
methodsforexample,iftheuserisntloggedinorusesanoperatingsystemsuchasLinuxthatyourdomain
serversdontsupport.Inothercases,youmightwantuserstoauthenticatewhenaccessingsensitive
applicationsregardlessofwhichmethodstheUserIDagentusestoperformusermapping.Forallthese
cases,youcanconfigureConfigureAuthenticationPolicyandMapIPAddressestoUsernamesUsing
CaptivePortal.Anywebtraffic(HTTPorHTTPS)thatmatchesanAuthenticationpolicyrulepromptsthe
usertoauthenticatethroughCaptivePortal.YoucanusethefollowingCaptivePortalAuthentication
Methods:
BrowserchallengeUseKerberossinglesignon(recommended)orNTLANManager(NTLM)
authenticationifyouwanttoreducethenumberofloginpromptsthatusersmustrespondto.
WebformUseMultiFactorAuthentication,SAMLsinglesignon,Kerberos,TACACS+,RADIUS,LDAP,
orLocalAuthentication.
ClientCertificateAuthentication.

Syslog
Yourenvironmentmighthaveexistingnetworkservicesthatauthenticateusers.Theseservicesinclude
wirelesscontrollers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,andotherNetwork
AccessControl(NAC)mechanisms.Youcanconfiguretheseservicestosendsyslogmessagesthatcontain
informationaboutloginandlogouteventsandconfiguretheUserIDagenttoparsethosemessages.The
UserIDagentparsesforlogineventstomapIPaddressestousernamesandparsesforlogouteventsto
deleteoutdatedmappings.DeletingoutdatedmappingsisparticularlyusefulinenvironmentswhereIP
addressassignmentschangeoften.
BoththePANOSintegratedUserIDagentandWindowsbasedUserIDagentuseSyslogParseprofilesto
parsesyslogmessages.Inenvironmentswhereservicessendthemessagesindifferentformats,youcan
createacustomprofileforeachformatandassociatemultipleprofileswitheachsyslogsender.Ifyouuse
thePANOSintegratedUserIDagent,youcanalsousepredefinedSyslogParseprofilesthatPaloAlto
NetworksprovidesthroughApplicationscontentupdates.
SyslogmessagesmustmeetthefollowingcriteriaforaUserIDagenttoparsethem:
Eachmessagemustbeasinglelinetextstring.Thealloweddelimitersforlinebreaksareanewline(\n)
oracarriagereturnplusanewline(\r\n).
Themaximumsizeforindividualmessagesis2,048bytes.
MessagessentoverUDPmustbecontainedinasinglepacket;messagessentoverSSLcanspanmultiple
packets.Asinglepacketmightcontainmultiplemessages.
SeeConfigureUserIDtoMonitorSyslogSendersforUserMappingforconfigurationdetails.
Figure:UserIDIntegrationwithSyslog

UserID UserIDConcepts
GlobalProtect
Formobileorroamingusers,theGlobalProtectclientprovidestheusermappinginformationtothefirewall
directly.Inthiscase,everyGlobalProtectuserhasanagentorapprunningontheclientthatrequiresthe
usertoenterlogincredentialsforVPNaccesstothefirewall.Thislogininformationisthenaddedtothe
UserIDusermappingtableonthefirewallforvisibilityanduserbasedsecuritypolicyenforcement.Because
GlobalProtectusersmustauthenticatetogainaccesstothenetwork,theIPaddresstousernamemapping
isexplicitlyknown.Thisisthebestsolutioninsensitiveenvironmentswhereyoumustbecertainofwhoa
userisinordertoallowaccesstoanapplicationorservice.FormoreinformationonsettingupGlobalProtect,
refertotheGlobalProtectAdministratorsGuide.
XMLAPI
CaptivePortalandtheotherstandardusermappingmethodsmightnotworkforcertaintypesofuseraccess.
Forexample,thestandardmethodscannotaddmappingsofusersconnectingfromathirdpartyVPN
solutionorusersconnectingtoa802.1xenabledwirelessnetwork.Forsuchcases,youcanusethePANOS
XMLAPItocapturelogineventsandsendthemtothePANOSintegratedUserIDagent.SeeSendUser
MappingstoUserIDUsingtheXMLAPIfordetails.
ClientProbing
InaMicrosoftWindowsenvironment,youcanconfiguretheUserIDagenttoprobeclientsystemsusing
WindowsManagementInstrumentation(WMI)and/orNetBIOSprobingatregularintervalstoverifythatan
existingusermappingisstillvalidortoobtaintheusernameforanIPaddressthatisnotyetmapped.
NetBIOSprobingisonlysupportedontheWindowsbasedUserIDagent;itisnotsupportedonthePANOS
integratedUserIDagent.
ClientprobingwasdesignedforlegacynetworkswheremostuserswereonWindowsworkstationsonthe
internalnetwork,butisnotidealfortodaysmoremodernnetworksthatsupportaroamingandmobileuser
baseonavarietyofdevicesandoperatingsystems.Additionally,clientprobingcangeneratealargeamount
ofnetworktraffic(basedonthetotalnumberofmappedIPaddresses)andcanposeasecuritythreatwhen
misconfigured.Therefore,clientprobingisnolongerarecommendedmethodforusermapping.Instead
collectusermappinginformationfrommoreisolatedandtrustedsources,suchasdomaincontrollersand
throughintegrationswithSyslogortheXMLAPI,whichallowyoutosafelycaptureusermapping
informationfromanydevicetypeoroperatingsystem.Ifyouhavesensitiveapplicationsthatrequireyouto
knowexactlywhoauseris,configureAuthenticationPolicyandCaptivePortaltoensurethatyouareonly
allowingaccesstoauthorizedusers.
BecauseWMIprobingtrustsdatareportedbackfromtheendpoint,itisnotarecommendedmethodofobtaining
UserIDinformationinahighsecuritynetwork.IfyouareusingtheUserIDagenttoparseADsecurityevent
logs,syslogmessages,ortheXMLAPItoobtainUserIDmappings,PaloAltoNetworksrecommendsdisabling
WMIprobing.
IfyoudochoosetouseWMIprobing,donotenableitonexternal,untrustedinterfaces,asthiswouldcausethe
agenttosendWMIprobescontainingsensitiveinformationsuchastheusername,domainname,andpassword
hashoftheUserIDagentserviceaccountoutsideofyournetwork.Thisinformationcouldpotentiallybe
exploitedbyanattackertopenetratethenetworktogainfurtheraccess.

Ifyoudochoosetoenableprobinginyourtrustedzones,theagentwillprobeeachlearnedIPaddress
periodically(every20minutesbydefault,butthisisconfigurable)toverifythatthesameuserisstilllogged
in.Inaddition,whenthefirewallencountersanIPaddressforwhichithasnousermapping,itwillsendthe
addresstotheagentforanimmediateprobe.
SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthe
PANOSIntegratedUserIDAgentfordetails.

UserID EnableUserID
EnableUserID
Theuseridentity,asopposedtoanIPaddress,isanintegralcomponentofaneffectivesecurity
infrastructure.Knowingwhoisusingeachoftheapplicationsonyournetwork,andwhomayhave
transmittedathreatoristransferringfiles,canstrengthenyoursecuritypolicyandreduceincidentresponse
times.UserIDenablesyoutoleverageuserinformationstoredinawiderangeofrepositoriesforvisibility,
userandgroupbasedpolicycontrol,andimprovedlogging,reporting,andforensics:
ConfigureUserID
Step1 EnableUserIDonthesourcezonesthat 1. SelectNetwork > ZonesandclicktheNameofthezone.

containtheuserswhowillsendrequests 2. Enable User IdentificationandclickOK.
thatrequireuserbasedaccesscontrols.
EnableUserIDontrustedzones
only.IfyouenableUserIDand
clientprobingonanexternal
untrustedzone(suchasthe
internet),probescouldbesent
outsideyourprotectednetwork,
resultinginaninformation
disclosureoftheUserIDagent
serviceaccountname,domain
name,andencryptedpassword
hash,whichcouldallowan
attackertogainunauthorized
accesstoprotectedservicesand
applications.
Step2 CreateaDedicatedServiceAccountfor ThisisrequiredifyouplantousetheWindowsbasedUserID

theUserIDAgent. agentorthePANOSintegratedUserIDagenttomonitordomain
Asabestpractice,createa controllers,MicrosoftExchangeservers,orWindowsclientsfor
serviceaccountwiththe userloginandlogoutevents.
minimumsetofpermissions
requiredtosupporttheUserID
optionsyouenabletoreduce
yourattacksurfaceintheevent
thattheserviceaccountis
compromised.
Step3 MapUserstoGroups. ThisenablesthefirewalltoconnecttoyourLDAPdirectoryand

retrieveGroupMappinginformationsothatyouwillbeableto
selectusernamesandgroupnameswhencreatingpolicy.

EnableUserID UserID
ConfigureUserID(Continued)
Step4 MapIPAddressestoUsers. Thewayyoudothisdependsonwhereyourusersarelocatedand

Asabestpractice,donotenable whattypesofsystemstheyareusing,andwhatsystemsonyour
clientprobingasausermapping networkarecollectingloginandlogouteventsforyourusers.You
methodonhighsecurity mustconfigureoneormoreUserIDagentstoenableUser
networks.Clientprobingcan Mapping:
generatealargeamountof ConfigureUserMappingUsingtheWindowsUserIDAgent.
networktrafficandcanposea ConfigureUserMappingUsingthePANOSIntegratedUserID
securitythreatwhen Agent.
misconfigured. ConfigureUserIDtoMonitorSyslogSendersforUserMapping.
ConfigureUserMappingforTerminalServerUsers.
SendUserMappingstoUserIDUsingtheXMLAPI.
Step5 Specifythenetworkstoincludeand Configureeachagentthatyouconfiguredforusermappingas

excludefromusermapping. follows:
Asabestpractice,alwaysspecify SpecifythesubnetworkstheWindowsUserIDagentshould
whichnetworkstoincludeand includeinorexcludefromUserID.
excludefromUserID.This SpecifythesubnetworksthePANOSintegratedUserIDagent
allowsyoutoensurethatonly shouldincludeinorexcludefromusermapping.
yourtrustedassetsareprobed
andthatunwanteduser
mappingsarenotcreated
unexpectedly.
Step6 ConfigureAuthenticationPolicyand 1. ConfigureCaptivePortal.

CaptivePortal. 2. ConfigureAuthenticationPolicy.
ThefirewallusesCaptivePortalto
authenticateenduserswhenthey
requestservices,applications,orURL
categoriesthatmatchAuthentication
Policyrules.Basedonuserinformation
collectedduringauthentication,the
firewallcreatesnewusermappingsor
updatesexistingmappings.Themapping
informationcollectedduring
authenticationoverridesinformation
collectedthroughotherUserID
methods.

UserID EnableUserID
Step7 Enableuserandgroupbasedpolicy AfterconfiguringUserID,youwillbeabletochooseausername

enforcement. orgroupnamewhendefiningthesourceordestinationofa
Createrulesbasedongroup securityrule:
ratherthanuserwhenever 1. SelectPolicies > SecurityandAddanewruleorclickan
possible.Thispreventsyoufrom existingrulenametoedit.
havingtocontinuallyupdateyour
2. SelectUserandspecifywhichusersandgroupstomatchin
rules(whichrequiresacommit)
theruleinoneofthefollowingways:
wheneveryouruserbase
changes. Ifyouwanttoselectspecificusersorgroupsasmatching
criteria,clickAddintheSourceUsersectiontodisplayalist
ofusersandgroupsdiscoveredbythefirewallgroup
mappingfunction.Selecttheusersorgroupstoaddtothe
rule.
Ifyouwanttomatchanyuserwhohasorhasnot
authenticatedandyoudontneedtoknowthespecificuser
orgroupname,selectknown-userorunknownfromthe
dropdownabovetheSourceUserlist.
3. ConfiguretherestoftheruleasappropriateandthenclickOK
tosaveit.Fordetailsonotherfieldsinthesecurityrule,see
SetUpaBasicSecurityPolicy.
Step8 CreatetheSecuritypolicyrulestosafely FollowtheBestPracticeInternetGatewaySecurityPolicyto

enableUserIDwithinyourtrustedzones ensurethattheUserIDapplication(paloaltouseridagent)isonly
andpreventUserIDtrafficfrom allowedinthezoneswhereyouragents(bothyourWindows
egressingyournetwork. agentsandyourPANOSintegratedagents)aremonitoring
servicesanddistributingmappingstofirewalls.Specifically:
Allowthepaloaltouseridagentapplicationbetweenthezones
whereyouragentsresideandthezoneswherethemonitored
serversreside(orevenbetter,betweenthespecificsystemsthat
hosttheagentandthemonitoredservers).
Allowthepaloaltouseridagentapplicationbetweentheagents
andthefirewallsthatneedtheusermappingsandbetween
firewallsthatareredistributingusermappingsandthefirewalls
theyareredistributingtheinformationto.
Denythepaloaltouseridagentapplicationtoanyexternal
zone,suchasyourinternetzone.
Step9 ConfigurethefirewalltoobtainuserIP 1. SelectDevice > Setup > Content-IDandeditthe

addressesfromXForwardedFor(XFF) XForwardedForHeaderssettings.
headers. 2. SelectX-Forwarded-For Header in User-ID.
Whenthefirewallisbetweenthe NOTE:SelectingStrip-X-Forwarded-For Headerdoesnt
Internetandaproxyserver,theIP disabletheuseofXFFheadersforuserattributioninpolicy
addressesinthepacketsthatthefirewall rules;thefirewallzeroesouttheXFFvalueonlyafterusingit
seesarefortheproxyserverratherthan foruserattribution.
users.ToenablevisibilityofuserIP
addressesinstead,configurethefirewall 3. ClickOKtosaveyourchanges.
tousetheXFFheadersforusermapping.
Withthisoptionenabled,thefirewall
matchestheIPaddresseswith
usernamesreferencedinpolicytoenable
controlandvisibilityfortheassociated
usersandgroups.Fordetails,seeIdentify
UsersConnectedthroughaProxy
Server.

EnableUserID UserID
Step10 Commityourchanges. Commityourchangestoactivatethem.
Step11 VerifytheUserIDConfiguration. Afteryouconfigureusermappingandgroupmapping,verifythat

theconfigurationworksproperlyandthatyoucansafelyenable
andmonitoruserandgroupaccesstoyourapplicationsand
services.

UserID MapUserstoGroups
MapUserstoGroups
Definingpolicyrulesbasedonusergroupmembershipratherthanindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevergroupmembershipchanges.Thenumberofdistinct
usergroupsthateachfirewallorPanoramacanreferenceacrossallpoliciesvariesbymodel:
VM50,VM100,VM300,PA200,PA220,PA500,PA800Series,PA3020,andPA3050firewalls:
1,000groups
VM500,VM700,PA5020,PA5050,PA5060,PA5200Series,andPA7000Seriesfirewalls,andall
Panoramamodels:10,000groups
UsethefollowingproceduretoenablethefirewalltoconnecttoyourLDAPdirectoryandretrieveGroup
Mappinginformation.YoucanthenEnableUserandGroupBasedPolicy.
ThefollowingarebestpracticesforgroupmappinginanActiveDirectory(AD)environment:
Ifyouhaveasingledomain,youneedonlyonegroupmappingconfigurationwithanLDAPserverprofile
thatconnectsthefirewalltothedomaincontrollerwiththebestconnectivity.Youcanadduptofour
domaincontrollerstotheLDAPserverprofileforfaulttolerance.Notethatyoucannotincrease
redundancybeyondfourdomaincontrollersforasingledomainbyaddingmultiplegroupmapping
configurationsforthatdomain.
Ifyouhavemultipledomainsand/ormultipleforests,youmustcreateagroupmappingconfiguration
withanLDAPserverprofilethatconnectsthefirewalltoadomainserverineachdomain/forest.Take
stepstoensureuniqueusernamesinseparateforests.
IfyouhaveUniversalGroups,createanLDAPserverprofiletoconnecttotheGlobalCatalogserver.
MapUserstoGroups
Step1 AddanLDAPserverprofile. 1. SelectDevice > Server Profiles > LDAPandAddaserver

Theprofiledefineshowthefirewall profile.
connectstothedirectoryserversfrom 2. EnteraProfile Nametoidentifytheserverprofile.
whichitcollectsgroupmapping
3. AddtheLDAPservers.Youcanadduptofourserverstothe
information.
profilebuttheymustbethesameType.Foreachserver,enter
aName(toidentifytheserver),LDAP ServerIPaddressor
FQDN,andserverPort(default389).
4. SelecttheserverType.
Basedonyourselection(suchasactive-directory),thefirewall
automaticallypopulatesthecorrectLDAPattributesinthe
groupmappingsettings.However,ifyoucustomizedyour
LDAPschema,youmightneedtomodifythedefaultsettings.
5. FortheBase DN,entertheDistinguishedName(DN)ofthe
LDAPtreelocationwhereyouwantthefirewalltostart
searchingforuserandgroupinformation.
6. FortheBind DN,PasswordandConfirm Password,enterthe
authenticationcredentialsforbindingtotheLDAPtree.
TheBind DNcanbeafullyqualifiedLDAPname(suchas
cn=administrator,cn=users,dc=acme,dc=local)orauser
principalname(suchasadministrator@acme.local).
7. EntertheBind TimeoutandSearch Timeoutinseconds
(defaultis30forboth).
8. ClickOKtosavetheserverprofile.

MapUserstoGroups UserID
MapUserstoGroups(Continued)
Step2 Configuretheserversettingsinagroup 1. SelectDevice > User Identification > Group Mapping Settings.
mappingconfiguration. 2. Addthegroupmappingconfiguration.
3. EnterauniqueNametoidentifythegroupmapping
configuration.
4. SelecttheLDAPServer Profileyoujustcreated.
5. (Optional)Bydefault,theUser Domainfieldisblank:the
firewallautomaticallydetectsthedomainnamesforActive
Directory(AD)servers.Ifyouenteravalue,itoverridesany
domainnamesthatthefirewallretrievesfromtheLDAP
source.YourentrymustbetheNetBIOSdomainname.
6. (Optional)Tofilterthegroupsthatthefirewalltracksfor
groupmapping,intheGroupObjectssection,enteraSearch
Filter(LDAPquery),Object Class(groupdefinition),Group
Name,andGroup Member.
7. (Optional)Tofiltertheusersthatthefirewalltracksforgroup
mapping,intheUserObjectssection,enteraSearch Filter
(LDAPquery),Object Class(userdefinition),andUser Name.
8. (Optional)TomatchUserIDinformationwithemailheader
informationidentifiedinthelinksandattachmentsofemails
forwardedtoWildFire,enterthelistofemaildomains
(Domain List)inyourorganization.Usecommastoseparate
multipledomains(upto256characters).
AfteryouclickOK(laterinthisprocedure),PANOS
automaticallypopulatestheMail Attributesbasedonthetype
ofLDAPserverspecifiedintheServer Profile.Whenamatch
occurs,theusernameintheWildFirelogemailheadersection
willcontainalinkthatopenstheACCtab,filteredbyuseror
usergroup.
9. MakesurethegroupmappingconfigurationisEnabled
(defaultisenabled).

UserID MapUserstoGroups
MapUserstoGroups(Continued)
Step3 Limitwhichgroupswillbeavailablein 1. Addexistinggroupsfromthedirectoryservice:

policyrules. a. SelectGroup Include List.
Requiredonlyifyouwanttolimitpolicy b. SelecttheAvailableGroupsyouwanttoappearinpolicy
rulestospecificgroups.Thecombined rulesandadd( )themtotheIncludedGroups.
maximumfortheGroup Include Listand
2. Ifyouwanttobasepolicyrulesonuserattributesthatdont
Custom Grouplistis640entriesper
matchexistingusergroups,createcustomgroupsbasedon
groupmappingconfiguration.Eachentry
LDAPfilters:
canbeasinglegrouporalistofgroups.
Bydefault,ifyoudontspecifygroups,all a. SelectCustom GroupandAddthegroup.
groupsareavailableinpolicyrules. b. EnteragroupName thatisuniqueinthegroupmapping
Anycustomgroupsyoucreate configurationforthecurrentfirewallorvirtualsystem.
willalsobeavailableintheAllow IftheNamehasthesamevalueastheDistinguishedName
Listofauthenticationprofiles (DN)ofanexistingADgroupdomain,thefirewallusesthe
(ConfigureanAuthentication customgroupinallreferencestothatname(suchasin
ProfileandSequence). policiesandlogs).
c. SpecifyanLDAP Filterofupto2,048UTF8characters
andclickOK.
ThefirewalldoesntvalidateLDAPfilters,soitsuptoyou
toensuretheyareaccurate.
TominimizetheperformanceimpactontheLDAP
directoryserver,useonlyindexedattributesinthe
filter.
3. ClickOKandCommit.
Acommitisnecessarybeforecustomgroupswillbeavailable
inpoliciesandobjects.

MapIPAddressestoUsers UserID
MapIPAddressestoUsers
UserIDprovidesmanydifferentmethodsformappingIPaddressestousernames.Beforeyoubegin
configuringusermapping,considerwhereyourusersarelogginginfrom,whatservicestheyareaccessing,
andwhatapplicationsanddatayouneedtocontrolaccessto.Thiswillinformwhichtypesofagentsor
integrationswouldbestallowyoutoidentifyyourusers.Forguidance,refertoArchitectingUser
IdentificationDeployments.
Onceyouhaveyourplan,youcanbeginconfiguringusermappingusingoneormoreofthefollowing
methodsasneededtoenableuserbasedaccessandvisibilitytoapplicationsandresources:
TomapusersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,or
WindowsclientsyoumustconfigureaUserIDagent:
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent
ConfigureUserMappingUsingtheWindowsUserIDAgent
IfyouhaveclientsrunningmultiusersystemsinaWindowsenvironment,suchasMicrosoftTerminal
ServerorCitrixMetaframePresentationServerorXenApp,ConfigurethePaloAltoNetworksTerminal
ServicesAgentforUserMapping.ForamultiusersystemthatdoesntrunonWindows,youcan
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI.
Toobtainusermappingsfromexistingnetworkservicesthatauthenticateuserssuchaswireless
controllers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccess
Control(NAC)mechanismsConfigureUserIDtoMonitorSyslogSendersforUserMapping.
WhileyoucanconfigureeithertheWindowsagentorthePANOSintegratedUserIDagenton
thefirewalltolistenforauthenticationsyslogmessagesfromthenetworkservices,becauseonly
thePANOSintegratedagentsupportssysloglisteningoverTLS,itisthepreferredconfiguration.
Ifyouhaveuserswithclientsystemsthatarentloggedintoyourdomainserversforexample,users
runningLinuxclientsthatdontlogintothedomainyoucanMapIPAddressestoUsernamesUsing
CaptivePortal.UsingCaptivePortalinconjunctionwithAuthenticationPolicyalsoensuresthatallusers
authenticatetoaccessyourmostsensitiveapplicationsanddata.
Forotherclientsthatyoucantmapusingtheothermethods,youcanSendUserMappingstoUserID
UsingtheXMLAPI.
Alargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsqueryforuserandgroup
mappingandcanhavenumerousfirewallsthatenforcepoliciesbasedonthemappinginformation.You
cansimplifyUserIDadministrationforsuchanetworkbyaggregatingthemappinginformationbefore
theUserIDagentscollectit.Youcanalsoreducetheresourcesthatthefirewallsandinformation
sourcesuseinthequeryingprocessbyconfiguringsomefirewallstoredistributethemapping
information.Fordetails,seeDeployUserIDinaLargeScaleNetwork.

UserID MapIPAddressestoUsers
CreateaDedicatedServiceAccountfortheUserIDAgent
IfyouplantouseeithertheWindowsbasedUserIDagentorthePANOSintegratedUserIDagenttomap
usersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,orWindowsclients,
youmustcreateadedicatedserviceaccountfortheUserIDagentonadomaincontrollerineachdomain
thattheagentwillmonitor.
Therequiredpermissionsfortheserviceaccountdependonwhatusermappingmethodsandsettingsyou
plantouse.ToreducetheriskassociatedwithcompromiseoftheUserIDserviceaccount,alwaysconfigure
theaccountwiththeminimumsetofpermissionsnecessaryfortheagenttofunctionproperly.
UserIDprovidesmanymethodsforsafelycollectingusermappinginformation.Someofthelegacyfeatures,
whichweredesignedforenvironmentsthatonlyrequiredmappingofusersonWindowsdesktopsattachedto
thelocalnetwork,requireprivilegedserviceaccounts.Intheeventthattheprivilegedserviceaccountis
compromised,thiswouldopenyournetworktoattack.Asabestpractice,avoidusingtheselegacyfeaturessuch
asclientprobing,NTLMauthentication,andsessionmonitoringthatrequireprivilegesthatwouldposeathreat
ifcompromised.ThefollowingworkflowdetailsallprivilegesrequiredandprovideguidanceastowhichUserID
featuresrequireprivilegesthatcouldposeathreatsothatyoucandecidehowtobestidentifyuserswithout
compromisingyouroverallsecurityposture.
CreateaDedicatedServiceAccountfortheUserIDAgent
Step1 CreateanADaccountfortheUserID 1. Logintothedomaincontroller.

agent. 2. RightclicktheWindowsicon(
),SearchforActive
Youmustcreateaserviceaccountin Directory Users and Computers,andlaunchthe
eachdomaintheagentwillmonitor. application.
3. Inthenavigationpane,openthedomaintree,rightclick
Managed Service AccountsandselectNew > User.
4. EntertheFirst Name,Last Name,andUser logon nameofthe
userandclickNext.
5. EnterthePasswordandConfirm Password,andthenclick
NextandFinish.

CreateaDedicatedServiceAccountfortheUserIDAgent(Continued)
Step2 AddtheaccounttotheBuiltingroups 1. RightclicktheserviceaccountyoujustaddedandAdd to a

thathaveprivilegesforaccessingthe group.
servicesandhoststheUserIDagentwill 2. Enter the object names to selectasfollowstoassignthe
monitor. accounttogroups.Separateeachentrywithasemicolon.
Event Log Readersoracustomgroupthathasprivileges
forreadingSecuritylogevents.Theseprivilegesare
requirediftheUserIDagentwillcollectmapping
informationbymonitoringSecuritylogs.
(PANOSintegratedagentonly)Distributed COM Users
group,whichhasprivilegesforlaunching,activating,and
usingDistributedComponentObjectModel(DCOM)
objects.
(Notrecommended) Server Operatorsgroup,whichhas
privilegesforopeningsessions.Theagentonlyrequires
theseprivilegesifyouplantoconfigureittorefreshexisting
mappinginformationbymonitoringusersessions.
Becausethisgroupalsohasprivilegesforshutting
downandrestartingservers,assigntheaccountto
itonlyifmonitoringusersessionsisveryimportant.
(PANOSintegratedagentonly)Ifyouplantoconfigure
NTLMauthenticationforCaptivePortal,thefirewallwhere
youveconfiguredtheagentwillneedtojointhedomain.To
enablethis,enterthenameofagroupthathas
administrativeprivilegestojointhedomain,writetothe
validatedserviceprincipalname,andcreateacomputer
objectwithinthecomputersorganizationunit
(ou=computers).
ThePANOSintegratedagentrequiresprivileged
operationstojointhedomain,whichposesa
securitythreatiftheaccountiscompromised.
ConsiderconfiguringKerberossinglesignon(SSO)
orSAMLSSOauthenticationforCaptivePortal
insteadofNTLM.KerberosandSAMLarestronger,
moresecureauthenticationmethodsanddonot
requirethefirewalltojointhedomain.
Forafirewallwithmultiplevirtualsystems,onlyvsys1can
jointhedomainbecauseofADrestrictionsonvirtual
systemsrunningonthesamehost.
3. Check NamestovalidateyourentriesandclickOKtwice.

CreateaDedicatedServiceAccountfortheUserIDAgent(Continued)
Step3 IfyouplantouseWMIprobing,enable PerformthistaskoneachclientsystemthattheUserIDagentwill

theaccounttoreadtheCIMV2 probeforusermappinginformation:
namespaceontheclientsystems. 1. RightclicktheWindowsicon( ),Searchforwmimgmt.msc,
Bydefault,accountsintheServer andlaunchtheWMIManagementConsole.
Operatorsgrouphavethispermission.
2. Intheconsoletree,rightclickWMI Controlandselect
Donotenableclientprobingon Properties.
highsecuritynetworks.Client
probingcangeneratealarge 3. SelectSecurity,selectRoot > CIMV2,andclickSecurity.
amountofnetworktrafficand 4. Addthenameoftheserviceaccountyoucreated,Check
canposeasecuritythreatwhen Namestoverifyyourentry,andclickOK.
misconfigured.Insteadcollect YoumighthavetochangetheLocationsorclick
usermappinginformationfrom Advancedtoqueryforaccountnames.Seethedialog
moreisolatedandtrusted helpfordetails.
sources,suchasdomain
controllersandthrough 5. InthePermissionsfor<Username>section,AllowtheEnable
integrationswithSyslogorthe Account,Read Security,andRemote Enablepermissions.
XMLAPI,whichhavetheadded 6. ClickOKtwice.
benefitofallowingyoutosafely
captureusermapping
informationfromanydevicetype
oroperatingsystem,insteadof
justWindowsclients.
Step4 Turnoffaccountprivilegesthatarenot ToensurethattheUserIDaccounthastheminimumprivileges

necessary. necessary,denythefollowingprivilegesontheaccount:
ByensuringthattheUserIDservice DenyinteractivelogonfortheUserIDserviceaccountWhile
accounthastheminimumsetofaccount theUserIDserviceaccountdoesneedpermissiontoreadand
privileges,youcanreducetheattack parseActiveDirectorysecurityeventlogs,itdoesnotrequire
surfaceshouldtheaccountbe theabilitytologontoserversordomainsystemsinteractively.
compromised. YoucanrestrictthisprivilegeusingGroupPoliciesorbyusinga
ManagedServiceaccount(refertoMicrosoftTechNetformore
information).
DenyremoteaccessfortheUserIDserviceaccountThis
preventsanattackerfromusingtheaccounttoaccessyour
networkfromtheoutsidethenetwork.
Step5 Nextsteps... Youarenowreadyto:

ConfigureUserMappingUsingtheWindowsUserIDAgent.
ConfigureUserMappingUsingthePANOSIntegratedUserID
Agent.

ConfigureUserMappingUsingtheWindowsUserIDAgent
Inmostcases,themajorityofyournetworkuserswillhaveloginstoyourmonitoreddomainservices.For
theseusers,thePaloAltoNetworksUserIDagentmonitorstheserversforlogineventsandperformsthe
IPaddresstousernamemapping.ThewayyouconfiguretheUserIDagentdependsonthesizeofyour
environmentandthelocationofyourdomainservers.Asabestpractice,locateyourUserIDagentsnear
theserversitwillmonitor(thatis,themonitoredserversandtheWindowsUserIDagentshouldnotbe
acrossaWANlinkfromeachother).Thisisbecausemostofthetrafficforusermappingoccursbetweenthe
agentandthemonitoredserver,withonlyasmallamountoftrafficthedeltaofusermappingssincethe
lastupdatefromtheagenttothefirewall.
ThefollowingtopicsdescribehowtoinstallandconfiguretheUserIDAgentandhowtoconfigurethe
firewalltoretrieveusermappinginformationfromtheagent:
InstalltheWindowsBasedUserIDAgent
ConfiguretheWindowsBasedUserIDAgentforUserMapping
InstalltheWindowsBasedUserIDAgent
ThefollowingprocedureshowshowtoinstalltheUserIDagentonamemberserverinthedomainandset
uptheserviceaccountwiththerequiredpermissions.Ifyouareupgrading,theinstallerwillautomatically
removetheolderversion,however,itisagoodideatobackuptheconfig.xmlfilebeforerunningtheinstaller.
ForinformationaboutthesystemrequirementsforinstallingtheWindowsbasedUserIDagent
andforinformationonsupportedserverOSversions,refertothePaloAltoNetworks
CompatibilityMatrix.
InstalltheWindowsUserIDAgent
Step1 CreateadedicatedActiveDirectory CreateaDedicatedServiceAccountfortheUserIDAgent.

serviceaccountfortheUserIDagentto
accesstheservicesandhostsitwill
monitortocollectusermappings.
Step2 DecidewheretoinstalltheUserID YoumustinstalltheUserIDagentonasystemrunningoneof

agent. thesupportedOSversions:seeOperatingSystem(OS)
TheUserIDagentqueriestheDomain CompatibilityUserIDAgentintheUserIDAgentRelease
ControllerandExchangeserverlogs Notes.
usingMicrosoftRemoteProcedureCalls MakesurethesystemthatwillhosttheUserIDagentisa
(MSRPCs),whichrequireacomplete memberofthesamedomainastheserversitwillmonitor.
transferoftheentirelogateachquery. Asabestpractice,installtheUserIDagentclosetotheservers
Therefore,alwaysinstalloneormore itwillbemonitoring(thereismoretrafficbetweentheUserID
UserIDagentsateachsitethathas agentandthemonitoredserversthanthereisbetweenthe
serverstobemonitored. UserIDagentandthefirewall,solocatingtheagentclosetothe
NOTE:Formoredetailedinformationon monitoredserversoptimizesbandwidthusage).
wheretoinstallUserIDagents,referto Toensurethemostcomprehensivemappingofusers,youmust
ArchitectingUserIdentification monitorallserversthatcontainuserlogininformation.Youmight
(UserID)Deployments. needtoinstallmultipleUserIDagentstoefficientlymonitorall
ofyourresources.

InstalltheWindowsUserIDAgent(Continued)
Step3 DownloadtheUserIDagentinstaller. 1. LogintothePaloAltoNetworksCustomerSupportwebsite.

InstalltheUserIDagentversion 2. SelectSoftware UpdatesfromtheManageDevicessection.
thatisthesameasthePANOS
3. ScrolltotheUserIdentificationAgentsectionofthescreen
versionrunningonthefirewalls.
andDownloadtheversionoftheUserIDagentyouwantto
IfthereisnotaUserIDagent
install.
versionthatmatchesthe
PANOSversion,installthe 4. SavetheUaInstall-x.x.x-xx.msifileonthesystem(s)
latestversionthatisclosestto whereyouplantoinstalltheagent.
thePANOSversion.For
example,ifyouarerunning
PANOS7.1onyourfirewalls,
installUserIDagentversion7.0.
Step4 Runtheinstallerasanadministrator. 1. OpentheWindowsStartmenu,rightclicktheCommand

Promptprogram,andselectRun as administrator.
2. Fromthecommandline,runthe.msifileyoudownloaded.For
example,ifyousavedthe.msifiletotheDesktopyouwould
enterthefollowing:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>UaInstall-6.0.
0-1.msi
3. Followthesetuppromptstoinstalltheagentusingthedefault
settings.Bydefault,theagentgetsinstalledtotheC:\Program
Files (x86)\Palo Alto Networks\User-ID Agentfolder,
butyoucanBrowsetoadifferentlocation.
4. Whentheinstallationcompletes,Closethesetupwindow.
Step5 LaunchtheUserIDAgentapplication. OpentheWindowsStartmenuandselectUser-ID Agent.
Step6 (Optional)Changetheserviceaccount Bydefault,theagentusestheadministratoraccountusedtoinstall

thattheUserIDagentusestologin. the.msifile.However,youmaywanttoswitchthistoarestricted
accountasfollows:
1. SelectUser Identification > SetupandclickEdit.
2. SelecttheAuthenticationtabandentertheserviceaccount
namethatyouwanttheUserIDagenttouseintheUser
name for Active Directoryfield.
3. EnterthePasswordforthespecifiedaccount.

Step7 (Optional)Assignaccountpermissionsto 1. Givetheserviceaccountpermissionstotheinstallationfolder:

theinstallationfolder. a. FromtheWindowsExplorer,navigatetoC:\Program
Youonlyneedtoperformthisstepifthe Files\Palo Alto Networksandrightclickthefolderand
serviceaccountyouconfiguredforthe selectProperties.
UserIDagentisnotamemberofthe b. OntheSecuritytab,AddtheUserIDagentserviceaccount
administratorsgroupforthedomainora andassignitpermissionstoModify,Read & execute,List
memberofboththeServerOperators folder contents,andReadandthenclickOKtosavethe
andtheEventLogReadersgroups. accountsettings.
2. GivetheserviceaccountpermissionstotheUserIDAgent
registrysubtree:
a. Runregedit32andnavigatetothePaloAltoNetworks
subtreeinoneofthefollowinglocations:
32bitsystemsHKEY_LOCAL_MACHINE\Software\ Palo
Alto Networks
64bitsystemsHKEY_LOCAL_MACHINE\Software\
WOW6432Node\Palo Alto Networks
b. RightclickthePaloAltoNetworksnodeandselect
Permissions.
c. AssigntheUserIDserviceaccountFull Controlandthen
clickOKtosavethesetting.
3. Onthedomaincontroller,addtheserviceaccounttothe
builtingroupstoenableprivilegestoreadthesecuritylog
events(EventLogReadergroup)andopensessions(Server
Operatorgroup):
a. RuntheMMCandLaunchtheActiveDirectoryUsersand
Computerssnapin.
b. NavigatetotheBuiltinfolderforthedomainandthen
rightclickeachgroupyouneedtoedit(EventLogReader
andServerOperator)andselectAdd to Grouptoopenthe
propertiesdialog.
c. ClickAddandenterthenameoftheserviceaccountthat
youconfiguredtheUserIDservicetouseandthenclick
Check Namestovalidatethatyouhavetheproperobject
name.
d. ClickOKtwicetosavethesettings.

Step8 (Optional)Assignyourowncertificates 1. ObtainyourcertificatefortheWindowsUserIDagent.The

formutualauthenticationbetweenthe Privatekeyoftheservercertificatemustbeencryptedand
WindowsUserIDagentandthefirewall. uploadedusingthePFXorP12bundles.
GenerateaCertificateandexportitforuploadtothe
WindowsUserIDagent.
Exportacertificatefromyourenterprisecertificate
authority(CA)andtheuploadittotheWindowsUserID
agent.
2. AddaservercertificatetoWindowsUserIDagent.
a. OntheWindowsUserIDagent,selectServer Certificate
andclickAdd.
b. Enterthepathandnameofthecertificatefilereceivedfrom
theCAorbrowsetothecertificatefile.
c. Entertheprivatekeypassword.
d. ClickOKandthenCommit.
3. UploadacertificatetothefirewalltovalidatetheWindows
UserIDagentsidentity.
4. Configurethecertificateprofilefortheclientdevice.The
clientdevice(firewallorPanorama)
a. SelectDevice > Certificate Management > Certificate
Profile.
b. ConfigureaCertificateProfile.
Youcanonlyassignonecertificateprofilefor
WindowsUserIDagentsandTerminalServices(TS)
agents.Therefore,yourcertificateprofilemust
includeallcertificateauthoritiesthatissued
certificatesuploadedtoconnectedUserIDandTS
agents.
5. Assignthecertificateprofileonthefirewall.
a. SelectDevice > User Identification > Connection Security
andclicktheeditbutton.
b. Selectthecertificateprofileyouconfiguredintheprevious
stepfromtheUserIDCertificateProfiledropdown.
c. ClickOK.
6. Commityourchanges.
Step9 ConfigureCredentialDetectionwiththeWindowsbasedUserIDAgent.
TousetheWindowsbasedUserIDagenttodetectcredentialsubmissionsandPreventCredentialPhishing,
youmustinstalltheUserIDcredentialserviceontheWindowsbasedUserIDagent.Youcanonlyinstallthis
addononareadonlydomaincontroller(RODC).

ConfiguretheWindowsBasedUserIDAgentforUserMapping
ThePaloAltoNetworksUserIDagentisaWindowsservicethatconnectstoserversonyournetworkfor
example,ActiveDirectoryservers,MicrosoftExchangeservers,andNovelleDirectoryserversand
monitorsthelogsforloginevents.TheagentusesthisinformationtomapIPaddressestousernames.Palo
AltoNetworksfirewallsconnecttotheUserIDagenttoretrievethisusermappinginformation,enabling
visibilityintouseractivitybyusernameratherthanIPaddressandenablesuserandgroupbasedsecurity
enforcement.
ForinformationabouttheserverOSversionssupportedbytheUserIDagent,refertoOperating
System(OS)CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
MAPIPADDRESSESTOUSERSUSINGTHEWINDOWSBASEDUSERIDAGENT
Step1 DefinetheserverstheUserIDagent 1. OpentheWindowsStartmenuandselectUser-ID Agent.

willmonitortocollectIPaddresstouser 2. SelectUser Identification > Discovery.
mappinginformation.
3. IntheServerssectionofthescreen,clickAdd.
TheUserIDagentcanmonitorupto100
servers,ofwhichupto50canbesyslog 4. EnteraNameandServer Addressfortheservertobe
senders. monitored.ThenetworkaddresscanbeaFQDNoranIP
NOTE:Tocollectalloftherequired address.
mappings,theUserIDagentmust 5. SelecttheServer Type(Microsoft Active Directory,Microsoft
connecttoallserversthatyouruserslog Exchange,Novell eDirectory,orSyslog Sender)andthen
intoinordertomonitorthesecuritylog clickOKtosavetheserverentry.Repeatthisstepforeach
filesonallserversthatcontainlogin servertobemonitored.
events.
6. (Optional)Toenablethefirewalltoautomaticallydiscover
domaincontrollersonyournetworkusingDNSlookups,click
Auto Discover.
NOTE:Autodiscoverylocatesdomaincontrollersinthelocal
domainonly;youmustmanuallyaddExchangeservers,
eDirectoryservers,andsyslogsenders.
7. (Optional)Totunethefrequencyatwhichthefirewallpolls
configuredserversformappinginformation,selectUser
Identification > SetupandEdittheSetupsection.Onthe
Server Monitortab,modifythevalueintheServer Log
Monitor Frequency (seconds)field.Increasethevalueinthis
fieldto5secondsinenvironmentswitholderDomain
Controllersorhighlatencylinks.
EnsurethattheEnable Server Session Readsettingis
notselected.ThissettingrequiresthattheUserID
agenthaveanActiveDirectoryaccountwithServer
Operatorprivilegessothatitcanreadallusersessions.
Instead,useasyslogorXMLAPIintegrationto
monitorsourcesthatcaptureloginandlogoutevents
foralldevicetypesandoperatingsystems(insteadof
justWindows),suchaswirelesscontrollersand
NetworkAccessControllers(NACs).
8. ClickOKtosavethesettings.

MAPIPADDRESSESTOUSERSUSINGTHEWINDOWSBASEDUSERIDAGENT(Continued)
Step2 SpecifythesubnetworkstheWindows 1. SelectUser Identification > Discovery.

UserIDagentshouldincludeinor 2. AddanentrytotheInclude/Excludelistofconfigured
excludefromUserID. networksandenteraNamefortheentryandentertheIP
Bydefault,theUserIDmapsallusers addressrangeofthesubnetworkinastheNetwork Address.
accessingtheserversyouaremonitoring.
3. Selectwhethertoincludeorexcludethenetwork:
Asabestpractice,alwaysspecify
Include specified networkSelectthisoptionifyouwant
whichnetworkstoincludeand
tolimitusermappingtousersloggedintothespecified
excludefromUserIDtoensure
subnetworkonly.Forexample,ifyouinclude10.0.0.0/8,
thattheagentisonly
theagentmapstheusersonthatsubnetworkandexcludes
communicatingwithinternal
allothers.Ifyouwanttheagenttomapusersinother
resourcesandtoprevent
subnetworks,youmustrepeatthesestepstoaddadditional
unauthorizedusersfrombeing
networkstothelist.
mapped.Youshouldonlyenable
UserIDonthesubnetworks Exclude specified networkSelectthisoptiononlyifyou
whereusersinternaltoyour wanttheagenttoexcludeasubsetofthesubnetworksyou
organizationareloggingin. addedforinclusion.Forexample,ifyouinclude10.0.0.0/8
andexclude10.2.50.0/22,theagentwillmapusersonall
thesubnetworksof10.0.0.0/8except10.2.50.0/22,and
willexcludeallsubnetworksoutsideof10.0.0.0/8.
Ifyouaddsubnetworksforexclusionwithout
addinganyforinclusion,theagentwillnotperform
usermappinginanysubnetwork.
4. ClickOK.
Step3 (Optional)Ifyouconfiguredtheagentto 1. SelectUser Identification > SetupandclickEditintheSetup

connecttoaNovelleDirectoryserver, sectionofthewindow.
youmustspecifyhowtheagentshould 2. SelecttheeDirectorytabandthencompletethefollowing
searchthedirectory. fields:
Search BaseThestartingpointorrootcontextforagent
queries,forexample:dc=domain1, dc=example, dc=com.
Bind Distinguished NameTheaccounttousetobindto
thedirectory,forexample:cn=admin, ou=IT,
dc=domain1, dc=example, dc=com.
Bind PasswordThebindaccountpassword.Theagent
savestheencryptedpasswordintheconfigurationfile.
Search FilterThesearchqueryforuserentries(defaultis
objectClass=Person).
Server Domain PrefixAprefixtouniquelyidentifythe
user.Thisisonlyrequiredifthereareoverlappingname
spaces,suchasdifferentuserswiththesamenamefrom
twodifferentdirectories.
Use SSLSelectthecheckboxtouseSSLforeDirectory
binding.
Verify Server CertificateSelectthecheckboxtoverify
theeDirectoryservercertificatewhenusingSSL.

Step4 (Optional,notrecommended)Configure 1. OntheClient Probingtab,selecttheEnable WMI Probing

clientprobing. checkboxand/ortheEnable NetBIOS Probingcheckbox.
Donotenableclientprobingon 2. MakesuretheWindowsfirewallwillallowclientprobingby
highsecuritynetworks.Client addingaremoteadministrationexceptiontotheWindows
probingcangeneratealarge firewallforeachprobedclient.
amountofnetworktrafficand NOTE:ForNetBIOSprobingtoworkeffectively,eachprobed
canposeasecuritythreatwhen clientPCmustallowport139intheWindowsfirewalland
misconfigured. mustalsohavefileandprintersharingservicesenabled.
Althoughclientprobingisnotrecommended,ifyouplanto
enableit,WMIprobingispreferredoverNetBIOSwhenever
possible.
Step5 Savetheconfiguration. ClickOKtosavetheUserIDagentsetupsettingsandthenclick

CommittorestarttheUserIDagentandloadthenewsettings.
Step6 (Optional)Definethesetofusersfor Createanignore_user_list.txtfileandsaveittotheUserID

whichyoudonotneedtoprovideIP Agentfolderonthedomainserverwheretheagentisinstalled.
addresstousernamemappings,suchas Listtheuseraccountstoignore;thereisnolimittothenumberof
kioskaccounts. accountsyoucanaddtothelist.Eachuseraccountnamemustbe
Youcanalsousethe onaseparateline.Forexample:
ignore-userlisttoidentify SPAdmin
userswhomyouwanttoforceto SPInstall
authenticateusingCaptive
TFSReport
Portal.
Youcanuseanasteriskasawildcardcharactertomatchmultiple
usernames,butonlyasthelastcharacterintheentry.Forexample,
corpdomain\it-admin*wouldmatchalladministratorsinthe
corpdomaindomainwhoseusernamesstartwiththestring
it-admin.
Step7 Configurethefirewalltoconnecttothe Completethefollowingstepsoneachfirewallyouwanttoconnect

UserIDagent. totheUserIDagenttoreceiveusermappings:
NOTE:Thefirewallcanconnecttoonly 1. SelectDevice > User Identification > User-ID Agentsandclick
oneWindowsbasedUserIDagentthat Add.
isusingtheUserIDcredentialservice
2. EnteraNamefortheUserIDagent.
addontodetectcorporatecredential
submissions.SeeConfigureCredential 3. EntertheIPaddressoftheWindowsHostonwhichthe
DetectionwiththeWindowsbased UserIDAgentisinstalled.
UserIDAgentformoredetailsonhow 4. EnterthePortnumber(165535)onwhichtheagentwill
tousethisserviceforcredentialphishing listenforusermappingrequests.Thisvaluemustmatchthe
prevention. valueconfiguredontheUserIDagent.Bydefault,theportis
setto5007onthefirewallandonnewerversionsofthe
UserIDagent.However,someolderUserIDagentversions
useport2010asthedefault.
5. MakesurethattheconfigurationisEnabled,thenclickOK.
6. Committhechanges.
7. VerifythattheConnected statusdisplaysasconnected(a
greenlight).

Step8 VerifythattheUserIDagentis 1. LaunchtheUserIDagentandselectUser Identification.

successfullymappingIPaddressesto 2. VerifythattheagentstatusshowsAgent is running.Ifthe
usernamesandthatthefirewallscan Agentisnotrunning,clickStart.
connecttotheagent.
3. ToverifythattheUserIDagentcanconnecttomonitored
servers,makesuretheStatusforeachServerisConnected.
4. ToverifythatthefirewallscanconnecttotheUserIDagent,
makesuretheStatusforeachoftheConnectedDevicesis
Connected.
5. ToverifythattheUserIDagentismappingIPaddressesto
usernames,selectMonitoringandmakesurethatthemapping
tableispopulated.YoucanalsoSearchforspecificusers,or
Deleteusermappingsfromthelist.

ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent
ThefollowingprocedureshowshowtoconfigurethePANOSintegratedUserIDagentonthefirewallfor
IPaddresstousernamemapping.TheintegratedUserIDagentperformsthesametasksasthe
WindowsbasedagentwiththeexceptionofNetBIOSclientprobing(WMIprobingissupported).
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent
Step1 CreateanActiveDirectoryservice CreateaDedicatedServiceAccountfortheUserIDAgent.

accountfortheUserIDagenttoaccess
theservicesandhostsitwillmonitorfor
collectingusermappinginformation.
Step2 Definetheserversthatthefirewallwill 1. SelectDevice > User Identification > User Mapping.

monitortocollectusermapping 2. ClickAddintheServerMonitoringsection.
information.
3. EnteraNametoidentifytheserver.
Withinthetotalmaximumof100
monitoredserversperfirewall,youcan 4. SelecttheTypeofserver.
definenomorethan50syslogsenders 5. EntertheNetwork Address(anFQDNorIPaddress)ofthe
foranysinglevirtualsystem. server.
NOTE:Tocollectalltherequired
6. MakesuretheserverprofileisEnabledandclickOK.
mappings,thefirewallmustconnectto
allserversthatyouruserslogintosoit 7. (Optional)ClickDiscoverifyouwantthefirewallto
canmonitortheSecuritylogfilesonall automaticallydiscoverdomaincontrollersonyournetwork
serversthatcontainloginevents. usingDNSlookups.
NOTE:Theautodiscoveryfeatureisfordomaincontrollers
only;youmustmanuallyaddanyExchangeserversor
eDirectoryserversyouwanttomonitor.
8. (Optional)Specifythefrequencyatwhichthefirewallpolls
Windowsserversformappinginformation.Thisistheinterval
betweentheendofthelastqueryandthestartofthenext
query.
NOTE:Ifthequeryloadishigh,theobserveddelaybetween
queriesmightsignificantlyexceedthespecifiedfrequency.
a. EditthePaloAltoNetworksUserIDAgentSetup.
b. SelecttheServer MonitortabandspecifytheServer Log
Monitor Frequencyinseconds(defaultis2,rangeis
13600).Increasethevalueinthisfieldto5secondsin
environmentswitholderdomaincontrollersorhighlatency
links.
EnsurethattheEnable Sessionsettingisnot
selected.ThissettingrequiresthattheUserID
agenthaveanActiveDirectoryaccountwithServer
Operatorprivilegessothatitcanreadalluser
sessions.Instead,useaSyslogorXMLAPI
integrationtomonitorsourcesthatcapturelogin
andlogouteventsforalldevicetypesandoperating
systems(insteadofjustWindows),suchaswireless
controllersandNACs.
c. ClickOKtosavethechanges.

MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
Step3 SpecifythesubnetworksthePANOS 1. SelectDevice > User Identification > User Mapping.

integratedUserIDagentshouldinclude 2. AddanentrytotheInclude/ExcludeNetworksandentera
inorexcludefromusermapping. NamefortheentryandmakesuretokeeptheEnabledcheck
Bydefault,theUserIDmapsallusers boxselected.
accessingtheserversyouaremonitoring.
3. EntertheNetwork Addressandthenselectwhetherto
Asabestpractice,alwaysspecify includeorexcludeit:
whichnetworkstoincludeand,
IncludeSelectthisoptionifyouwanttolimituser
optionally,toexcludefrom
mappingtousersloggedintothespecifiedsubnetwork
UserIDtoensurethattheagent
only.Forexample,ifyouinclude10.0.0.0/8,theagentmaps
isonlycommunicatingwith
theusersonthatsubnetworkandexcludesallothers.Ifyou
internalresourcesandtoprevent
wanttheagenttomapusersinothersubnetworks,you
unauthorizedusersfrombeing
mustrepeatthesestepstoaddadditionalnetworkstothe
mapped.Youshouldonlyenable
list.
usermappingonthe
subnetworkswhereusers ExcludeSelectthisoptiononlyifyouwanttheagentto
internaltoyourorganizationare excludeasubsetofthesubnetworksyouaddedfor
loggingin. inclusion.Forexample,ifyouinclude10.0.0.0/8and
exclude10.2.50.0/22,theagentwillmapusersonallthe
subnetworksof10.0.0.0/8except10.2.50.0/22,andwill
excludeallsubnetworksoutsideof10.0.0.0/8.
Ifyouaddsubnetworksforexclusionwithout
addinganyforinclusion,theagentwillnotperform
usermappinginanysubnetwork.
4. ClickOK.
Step4 Setthedomaincredentialsforthe 1. EditthePaloAltoNetworksUserIDAgentSetup.

accountthefirewallwillusetoaccess 2. SelecttheWMI AuthenticationtabandentertheUser Name
Windowsresources.Thisisrequiredfor andPasswordfortheaccountthattheUserIDagentwilluse
monitoringExchangeserversanddomain toprobetheclientsandmonitorservers.Entertheusername
controllersaswellasforWMIprobing. usingthedomain\usernamesyntax.
Step5 (Optional,notrecommended)Configure 1. SelecttheClient ProbingtabandselecttheEnable Probing

WMIprobing(thePANOSintegrated checkbox.
UserIDagentdoesnotsupportNetBIOS 2. (Optional)ModifytheProbe Interval(inminutes)ifnecessary
probing). toensureitislongenoughfortheUserIDagenttoprobeall
DonotenableWMIprobingon thelearnedIPaddresses(defaultis20,rangeis11440).This
highsecuritynetworks.Client istheintervalbetweentheendofthelastproberequestand
probingcangeneratealarge thestartofthenextrequest.
amountofnetworktrafficand NOTE:Iftherequestloadishigh,theobserveddelaybetween
canposeasecuritythreatwhen requestsmightsignificantlyexceedthespecifiedinterval.
misconfigured.
3. ClickOK.
4. MakesuretheWindowsfirewallwillallowclientprobingby
addingaremoteadministrationexceptiontotheWindows
firewallforeachprobedclient.
Step6 (Optional)Definethesetofusersfor SelecttheIgnore User ListtabandAddeachusernametoexclude

whichyoudontrequireIP fromusermapping.Youcanuseanasteriskasawildcardcharacter
addresstousernamemappings,suchas tomatchmultipleusernames,butonlyasthelastcharacterinthe
kioskaccounts. entry.Forexample,corpdomain\it-admin*wouldmatchall
Youcanalsousetheignoreuser administratorsinthecorpdomaindomainwhoseusernamesstart
listtoidentifyuserswhomyou withthestringit-admin.Youcanaddupto5,000entriesto
wanttoforcetoauthenticate excludefromusermapping.
usingCaptivePortal.

MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
Step7 Activateyourconfigurationchanges. ClickOKandCommit.
Step8 Verifytheconfiguration. 1. AccessthefirewallCLI.

2. Enterthefollowingoperationalcommand:
> show user server-monitor state all
3. OntheDevice > User Identification > User Mappingtabinthe
webinterface,verifythattheStatusofeachserveryou
configuredforservermonitoringisConnected.
ConfigureUserIDtoMonitorSyslogSendersforUserMapping
ToobtainIPaddresstousernamemappingsfromexistingnetworkservicesthatauthenticateusers,youcan
configurethePANOSintegratedUserIDagentorWindowsbasedUserIDagenttoparseSyslogmessages
fromthoseservices.Tokeepusermappingsuptodate,youcanalsoconfiguretheUserIDagenttoparse
syslogmessagesforlogouteventssothatthefirewallautomaticallydeletesoutdatedmappings.
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener
ConfiguretheWindowsUserIDAgentasaSyslogListener
ToconfigurethePANOSIntegratedUserIDagenttocreatenewusermappingsandremoveoutdated
mappingsthroughsyslogmonitoring,startbydefiningSyslogParseprofiles.TheUserIDagentusesthe
profilestofindloginandlogouteventsinsyslogmessages.Inenvironmentswheresyslogsenders(the
networkservicesthatauthenticateusers)deliversyslogmessagesindifferentformats,configureaprofilefor
eachsyslogformat.SyslogmessagesmustmeetcertaincriteriaforaUserIDagenttoparsethem(see
Syslog).Thisprocedureusesexampleswiththefollowingformats:
Loginevents[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1
Source:192.168.3.212
Logoutevents[Tue Jul 5 13:18:05 2016 CDT] User logout successful User:johndoe1

Source:192.168.3.212
AfterconfiguringtheSyslogParseprofiles,youspecifysyslogsendersfortheUserIDagenttomonitor.
ThePANOSintegratedUserIDagentacceptssyslogsoverSSLandUDPonly.However,youmustusecaution
whenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandassuchthereisnowayto
verifythatamessagewassentfromatrustedsyslogsender.Althoughyoucanrestrictsyslogmessagestospecific
sourceIPaddresses,anattackercanstillspooftheIPaddress,potentiallyallowingtheinjectionofunauthorized
syslogmessagesintothefirewall.Asabestpractice,alwaysuseSSLtolistenforsyslogmessages.However,if
youmustuseUDP,makesurethatthesyslogsenderandclientarebothonadedicated,securenetworkto
preventuntrustedhostsfromsendingUDPtraffictothefirewall.

Step1 Determinewhetherthereisa 1. InstallthelatestApplicationsorApplicationsandThreats

predefinedSyslogParseprofileforyour update:
particularsyslogsenders. a. SelectDevice > Dynamic UpdatesandCheck Now.
PaloAltoNetworksprovidesseveral b. DownloadandInstallanynewupdate.
predefinedprofilesthroughApplication
2. DeterminewhichpredefinedSyslogParseprofilesare
contentupdates.Thepredefinedprofiles
available:
areglobaltothefirewall,whereas
customprofilesapplytoasinglevirtual a. SelectDevice > User Identification > User Mappingclick
systemonly. AddintheServerMonitoringsection.
NOTE:AnynewSyslogParseprofilesin b. SettheTypetoSyslog SenderandclickAddintheFilter
agivencontentreleaseisdocumentedin section.IftheSyslogParseprofileyouneedisavailable,skip
thecorrespondingreleasenotealong thestepsfordefiningcustomprofiles.
withthespecificregexusedtodefinethe
filter.
Step2 DefinecustomSyslogParseprofilesto 1. Reviewthesyslogmessagesthatthesyslogsendergenerates

createanddeleteusermappings. toidentifythesyntaxforloginandlogoutevents.Thisenables
Eachprofilefilterssyslogmessagesto youtodefinethematchingpatternswhencreatingSyslog
identifyeitherloginevents(tocreate Parseprofiles.
usermappings)orlogoutevents(to Whilereviewingsyslogmessages,alsodetermine
deletemappings),butnosingleprofile whethertheyincludethedomainname.Iftheydont,
candoboth. andyourusermappingsrequiredomainnames,enter
theDefault Domain Namewhendefiningthesyslog
sendersthattheUserIDagentmonitors(laterinthis
procedure).
2. SelectDevice > User Identification > User Mappingandedit
thePaloAltoNetworksUserIDAgentSetup.
3. SelectSyslog FiltersandAddaSyslogParseprofile.
4. EnteranametoidentifytheSyslog Parse Profile.
5. SelecttheTypeofparsingtofindloginorlogouteventsin
syslogmessages:
Regex IdentifierRegularexpressions.
Field IdentifierTextstrings.
Thefollowingstepsdescribehowtoconfiguretheseparsing
types.

ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener(Continued)
Step3 (RegexIdentifierparsingonly)Define 1. EntertheEvent Regexforthetypeofeventsyouwanttofind:

theregexmatchingpatterns. LogineventsFortheexamplemessage,theregex
NOTE:Ifthesyslogmessagecontainsa (authentication\ success){1}extractsthefirst{1}
standalonespaceortabasadelimiter, instanceofthestringauthentication success.
use\sforaspaceand\tforatab. LogouteventsFortheexamplemessage,theregex
(logout\ successful){1}extractsthefirst{1}instance
ofthestringlogout successful.
Thebackslash(\)beforethespaceisastandardregexescape
characterthatinstructstheregexenginenottotreatthespace
asaspecialcharacter.
2. EntertheUsername Regextoidentifythestartofthe
username.
Intheexamplemessage,theregex
User:([a-zA-Z0-9\\\._]+)matchesthestring
User:johndoe1andidentifiesjohndoe1astheusername.
3. EntertheAddress RegextoidentifytheIPaddressportionof
syslogmessages.
Intheexamplemessage,theregularexpression
Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{
1,3})matchestheIPv4addressSource:192.168.3.212.
ThefollowingisanexampleofacompletedSyslogParse
profilethatusesregextoidentifyloginevents:
4. ClickOKtwicetosavetheprofile.

Step4 (FieldIdentifierparsingonly)Define 1. EnteranEvent Stringtoidentifythetypeofeventsyouwant

stringmatchingpatterns. tofind.
LogineventsFortheexamplemessage,thestring
authentication successidentifiesloginevents.
LogouteventsFortheexamplemessage,thestring
logout successfulidentifieslogoutevents.
2. EnteraUsername Prefixtoidentifythestartoftheusername
fieldinsyslogmessages.Thefielddoesnotsupportregex
expressionssuchas\s(foraspace)or\t(foratab).
Intheexamplemessages,User:identifiesthestartofthe
usernamefield.
3. EntertheUsername Delimiterthatindicatestheendofthe
usernamefieldinsyslogmessages.Use\stoindicatea
standalonespace(asinthesamplemessage)and\ttoindicate
atab.
4. EnteranAddress PrefixtoidentifythestartoftheIPaddress
Intheexamplemessages,Source:identifiesthestartofthe
addressfield.
5. EntertheAddress DelimiterthatindicatestheendoftheIP
addressfieldinsyslogmessages.
Forexample,enter\ntoindicatethedelimiterisalinebreak.
profilethatusesstringmatchingtoidentifyloginevents:

Step5 Specifythesyslogsendersthatthe 1. SelectDevice > User Identification > User MappingandAdd

firewallmonitors. anentrytotheServerMonitoringlist.
Withinthetotalmaximumof100 2. EnteraNametoidentifythesender.
monitoredserversperfirewall,youcan
3. MakesurethesenderprofileisEnabled(defaultisenabled).
definenomorethan50syslogsenders
foranysinglevirtualsystem. 4. SettheTypetoSyslog Sender.
Thefirewalldiscardsanysyslog 5. EntertheNetwork Addressofthesyslogsender(IPaddressor
messagesreceivedfromsendersthatare FQDN).
notonthislist.
6. SelectSSL(default)orUDPastheConnection Type.
UsecautionwhenusingUDPtoreceivesyslog
messagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassent
fromatrustedsyslogsender.Althoughyoucanrestrict
syslogmessagestospecificsourceIPaddresses,an
attackercanstillspooftheIPaddress,potentially
allowingtheinjectionofunauthorizedsyslogmessages
intothefirewall.Asabestpractice,alwaysuseSSLto
listenforsyslogmessageswhenusingagentlessUser
Mappingonafirewall.However,ifyoumustuseUDP,
makesurethatthesyslogsenderandclientarebothon
adedicated,securenetworktopreventuntrusted
hostsfromsendingUDPtraffictothefirewall.
AsyslogsenderusingSSLtoconnectwillshowa
StatusofConnectedonlywhenthereisanactiveSSL
connection.SyslogsendersusingUDPwillnotshowa
Statusvalue.
7. Foreachsyslogformatthatthesendersupports,AddaSyslog
ParseprofiletotheFilterlist.SelecttheEvent Typethateach
profileisconfiguredtoidentify:login(default)orlogout.
8. (Optional)Ifthesyslogmessagesdontcontaindomain
informationandyourusermappingsrequiredomainnames,
enteraDefault Domain Nametoappendtothemappings.

Step6 Enablesysloglistenerservicesonthe 1. SelectNetwork > Network Profiles > Interface Mgmtandedit

interfacethatthefirewallusestocollect anexistingInterfaceManagementprofileorAddanewprofile.
usermappings. 2. SelectUser-ID Syslog Listener-SSLorUser-ID Syslog
Listener-UDPorboth,basedontheprotocolsyoudefinedfor
thesyslogsendersintheServerMonitoringlist.
NOTE:Thelisteningports(514forUDPand6514forSSL)are
notconfigurable;theyareenabledthroughthemanagement
serviceonly.
3. ClickOKtosavetheinterfacemanagementprofile.
NOTE:EvenafterenablingtheUserIDSyslogListenerservice
ontheinterface,theinterfaceonlyacceptssyslogconnections
fromsendersthathaveacorrespondingentryintheUserID
monitoredserversconfiguration.Thefirewalldiscards
connectionsormessagesfromsendersthatarenotonthelist.
4. AssigntheInterfaceManagementprofiletotheinterfacethat
thefirewallusestocollectusermappings:
a. SelectNetwork > Interfacesandedittheinterface.
b. SelectAdvanced > Other info,selecttheInterface
Management Profileyoujustadded,andclickOK.
5. Commityourchanges.
Step7 Verifythatthefirewalladdsanddeletes 1. Logintoaclientsystemforwhichamonitoredsyslogsender

usermappingswhenusersloginandout. generatesloginandlogouteventmessages.
YoucanuseCLIcommandsto 2. LogintothefirewallCLI.
seeadditionalinformationabout
3. Verifythatthefirewallmappedtheloginusernametothe
syslogsenders,syslogmessages,
clientIPaddress:
andusermappings.
> show user ip-user-mapping ip <ip-address>
IP address: 192.0.2.1 (vsys1)
User: localdomain\username
From: SYSLOG
4. Logoutoftheclientsystem.
5. Verifythatthefirewalldeletedtheusermapping:
No matched record
ConfiguretheWindowsUserIDAgentasaSyslogListener
ToconfiguretheWindowsbasedUserIDagenttocreatenewusermappingsandremoveoutdated
mappingsthroughsyslogmonitoring,startbydefiningSyslogParseprofiles.TheUserIDagentusesthe
profilestofindloginandlogouteventsinsyslogmessages.Inenvironmentswheresyslogsenders(the
networkservicesthatauthenticateusers)deliversyslogmessagesindifferentformats,configureaprofilefor
eachsyslogformat.SyslogmessagesmustmeetcertaincriteriaforaUserIDagenttoparsethem(see
Syslog).Thisprocedureusesexampleswiththefollowingformats:
Loginevents[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1
Source:192.168.3.212
Logoutevents[Tue Jul 5 13:18:05 2016 CDT] User logout successful User:johndoe1

Source:192.168.3.212
AfterconfiguringtheSyslogParseprofiles,youspecifythesyslogsendersthattheUserIDagentmonitors.

TheWindowsUserIDagentacceptssyslogsoverTCPandUDPonly.However,youmustuse
cautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassentfromatrustedsyslogsender.Althoughyou
canrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstillspooftheIP
address,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothefirewall.Asa
bestpractice,useTCPinsteadofUDP.Ineithercase,makesurethatthesyslogsenderandclient
arebothonadedicated,secureVLANtopreventuntrustedhostsfromsendingsyslogstothe
UserIDagent.
ConfiguretheWindowsBasedUserIDAgenttoCollectUserMappingsfromSyslogSenders
Step1 DeploytheWindowsbasedUserID 1. InstalltheWindowsBasedUserIDAgent.

agentsifyouhaventalready. 2. ConfigurethefirewalltoconnecttotheUserIDagent.
Step2 DefinecustomSyslogParseprofilesto 1. Reviewthesyslogmessagesthatthesyslogsendergenerates

createanddeleteusermappings. toidentifythesyntaxforloginandlogoutevents.Thisenables
Eachprofilefilterssyslogmessagesto youtodefinethematchingpatternswhencreatingSyslog
identifyeitherloginevents(tocreate Parseprofiles.
usermappings)orlogoutevents(to Whilereviewingsyslogmessages,alsodetermine
deletemappings),butnosingleprofile whethertheyincludethedomainname.Iftheydont,
candoboth. andyourusermappingsrequiredomainnames,enter
theDefault Domain Namewhendefiningthesyslog
sendersthattheUserIDagentmonitors(laterinthis
procedure).
2. OpentheWindowsStartmenuandselectUser-ID Agent.
3. SelectUser Identification > SetupandEdittheSetup.
4. SelectSyslog,Enable Syslog Service,andAddaSyslogParse
profile.
5. EnteraProfile NameandDescription.
6. SelecttheTypeofparsingtofindloginandlogouteventsin
syslogmessages:
RegexRegularexpressions.
FieldTextstrings.
Thefollowingstepsdescribehowtoconfiguretheseparsing
types.

ConfiguretheWindowsBasedUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
Step3 (Regexparsingonly)Definetheregex 1. EntertheEvent Regexforthetypeofeventsyouwanttofind:

matchingpatterns. LogineventsFortheexamplemessage,theregex
Ifthesyslogmessagecontainsa (authentication\ success){1}extractsthefirst{1}
standalonespaceortabasadelimiter, instanceofthestringauthentication success.
use\sforaspaceand\tforatab. LogouteventsFortheexamplemessage,theregex
(logout\ successful){1}extractsthefirst{1}instance
ofthestringlogout successful.
Thebackslashbeforethespaceisastandardregexescape
characterthatinstructstheregexenginenottotreatthespace
asaspecialcharacter.
2. EntertheUsername Regextoidentifythestartofthe
username.
Intheexamplemessage,theregex
User:([a-zA-Z0-9\\\._]+)matchesthestring
User:johndoe1andidentifiesjohndoe1astheusername.
3. EntertheAddress RegextoidentifytheIPaddressportionof
syslogmessages.
Intheexamplemessage,theregularexpression
Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{
1,3})matchestheIPv4addressSource:192.168.3.212.
profilethatusesregextoidentifyloginevents:

Step4 (FieldIdentifierparsingonly)Define 1. EnteranEvent Stringtoidentifythetypeofeventsyouwant

stringmatchingpatterns. tofind.
LogineventsFortheexamplemessage,thestring
authentication successidentifiesloginevents.
LogouteventsFortheexamplemessage,thestring
logout successfulidentifieslogoutevents.
2. EnteraUsername Prefixtoidentifythestartoftheusername
Intheexamplemessages,User:identifiesthestartofthe
usernamefield.
3. EntertheUsername Delimiterthatindicatestheendofthe
usernamefieldinsyslogmessages.Use\stoindicatea
standalonespace(asinthesamplemessage)and\ttoindicate
atab.
4. EnteranAddress PrefixtoidentifythestartoftheIPaddress
Intheexamplemessages,Source:identifiesthestartofthe
addressfield.
5. EntertheAddress DelimiterthatindicatestheendoftheIP
addressfieldinsyslogmessages.
Forexample,enter\ntoindicatethedelimiterisalinebreak.
profilethatusesstringmatchingtoidentifyloginevents:

Step5 Specifythesyslogsendersthatthe 1. SelectUser Identification > DiscoveryandAddanentrytothe

UserIDagentmonitors. Serverslist.
Withinthetotalmaximumof100servers 2. EnteraNametoidentifythesender.
ofalltypesthattheUserIDagentcan
3. EntertheServer Addressofthesyslogsender(IPaddressor
monitor,upto50canbesyslogsenders.
FQDN).
TheUserIDagentdiscardsanysyslog
messagesreceivedfromsendersthatare 4. SettheServer TypetoSyslog Sender.
notonthislist. 5. (Optional)Ifthesyslogmessagesdontcontaindomain
informationandyourusermappingsrequiredomainnames,
enteraDefault Domain Nametoappendtothemappings.
6. Foreachsyslogformatthatthesendersupports,AddaSyslog
ParseprofiletotheFilterlist.SelecttheEvent Typethatyou
configuredeachprofiletoidentifylogin(default)orlogout
andthenclickOK.
8. CommityourchangestotheUserIDagentconfiguration.
Step6 VerifythattheUserIDagentaddsand 1. Logintoaclientsystemforwhichamonitoredsyslogsender

deletesusermappingswhenuserslogin generatesloginandlogouteventmessages.
andout. 2. VerifythattheUserIDagentmappedtheloginusernameto
YoucanuseCLIcommandsto theclientIPaddress:
seeadditionalinformationabout a. IntheUserIDagent,selectMonitoring.
syslogsenders,syslogmessages,
b. EntertheusernameorIPaddressinthefilterfield,Search,
andusermappings.
andverifythatthelistdisplaysthemapping.
3. Verifythatthefirewallreceivedtheusermappingfromthe
UserIDagent:
a. LogintothefirewallCLI.
b. Runthefollowingcommand:
Ifthefirewallreceivedtheusermapping,theoutput
resemblesthefollowing:
User: localdomain\username
From: SYSLOG
4. Logoutoftheclientsystem.
5. VerifythattheUserIDagentremovedtheusermapping:
a. IntheUserIDagent,selectMonitoring.
b. EntertheusernameorIPaddressinthefilterfield,Search,
andverifythatthelistdoesnotdisplaythemapping.
6. Verifythatthefirewalldeletedtheusermapping:
a. AccessthefirewallCLI.
b. Runthefollowingcommand:
Ifthefirewalldeletedtheusermapping,theoutput
displays:
No matched record

MapIPAddressestoUsernamesUsingCaptivePortal
Whenauserinitiateswebtraffic(HTTPorHTTPS)thatmatchesanAuthenticationPolicyrule,thefirewall
promptstheusertoauthenticatethroughCaptivePortal.Thisensuresthatyouknowexactlywhois
accessingyourmostsensitiveapplicationsanddata.Basedonuserinformationcollectedduring
authentication,thefirewallcreatesanewIPaddresstousernamemappingorupdatestheexistingmapping
forthatuser.Thismethodofusermappingisusefulinenvironmentswherethefirewallcannotlearn
mappingsthroughothermethodssuchasmonitoringservers.Forexample,youmighthaveuserswhoare
notloggedintoyourmonitoreddomainservers,suchasusersonLinuxclients.
CaptivePortalAuthenticationMethods
CaptivePortalModes
ConfigureCaptivePortal
CaptivePortalAuthenticationMethods
CaptivePortalusesthefollowingmethodstoauthenticateuserswhosewebrequestsmatchAuthentication
Policyrules:
AuthenticationMethod Description
KerberosSSO ThefirewallusesKerberossinglesignon(SSO)totransparentlyobtainuser
credentialsfromthebrowser.Tousethismethod,yournetworkrequiresa
Kerberosinfrastructure,includingakeydistributioncenter(KDC)withan
authenticationserverandticketgrantingservice.Thefirewallmusthavea
Kerberosaccount.
IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLANManager
(NTLM)authentication.IfyoudontconfigureNTLM,orNTLMauthentication
fails,thefirewallfallsbacktowebformorclientcertificateauthentication,
dependingonyourAuthenticationpolicyandCaptivePortalconfiguration.
KerberosSSOispreferabletoNTLMauthentication.Kerberosisa
stronger,morerobustauthenticationmethodthanNTLManditdoesnot
requirethefirewalltohaveanadministrativeaccounttojointhedomain.
NTLANManager(NTLM) Thefirewallusesanencryptedchallengeresponsemechanismtoobtaintheuser
credentialsfromthebrowser.Whenconfiguredproperly,thebrowserwill
transparentlyprovidethecredentialstothefirewallwithoutpromptingtheuser,
butwillpromptforcredentialsifnecessary.
IfyouusetheWindowsbasedUserIDagent,NTLMresponsesgodirectlytothe
domaincontrollerwhereyouinstalledtheagent.
IfyouconfigureKerberosSSOauthentication,thefirewalltriesthatmethodfirst
beforefallingbacktoNTLMauthentication.IfthebrowsercantperformNTLM
orifNTLMauthenticationfails,thefirewallfallsbacktowebformorclient
certificateauthentication,dependingonyourAuthenticationpolicyandCaptive
Portalconfiguration.
MicrosoftInternetExplorersupportsNTLMbydefault.YoucanconfigureMozilla
FirefoxandGoogleChrometoalsouseNTLMbutyoucantuseNTLMto
authenticatenonWindowsclients.

AuthenticationMethod Description
WebForm Thefirewallredirectswebrequeststoawebformforauthentication.Forthis
method,youcanconfigureAuthenticationpolicytouseMultiFactor
Authentication(MFA),SAML,Kerberos,TACACS+,RADIUS,orLDAP
authentication.Althoughusershavetomanuallyentertheirlogincredentials,this
methodworkswithallbrowsersandoperatingsystems.
ClientCertificateAuthentication Thefirewallpromptsthebrowsertopresentavalidclientcertificateto
authenticatetheuser.Tousethismethod,youmustprovisionclientcertificates
oneachusersystemandinstallthetrustedcertificateauthority(CA)certificate
usedtoissuethosecertificatesonthefirewall.

CaptivePortalModes
TheCaptivePortalmodedefineshowthefirewallcaptureswebrequestsforauthentication:
Mode Description
Transparent ThefirewallinterceptsthebrowsertrafficpertheAuthenticationpolicyruleand
impersonatestheoriginaldestinationURL,issuinganHTTP401toinvoke
authentication.However,becausethefirewalldoesnothavetherealcertificate
forthedestinationURL,thebrowserdisplaysacertificateerrortousers
attemptingtoaccessasecuresite.Therefore,usethismodeonlywhenabsolutely
necessary,suchasinLayer 2orvirtualwiredeployments.
Redirect ThefirewallinterceptsunknownHTTPorHTTPSsessionsandredirectsthemto
aLayer 3interfaceonthefirewallusinganHTTP302redirecttoperform
authentication.Thisisthepreferredmodebecauseitprovidesabetterenduser
experience(nocertificateerrors).However,itdoesrequireadditionalLayer3
configuration.AnotherbenefitoftheRedirectmodeisthatitprovidesfortheuse
ofsessioncookies,whichenabletheusertocontinuebrowsingtoauthenticated
siteswithoutrequiringremappingeachtimethetimeoutsexpire.Thisis
especiallyusefulforuserswhoroamfromoneIPaddresstoanother(forexample,
fromthecorporateLANtothewirelessnetwork)becausetheywontneedto
reauthenticatewhentheIPaddresschangesaslongasthesessionstaysopen.
IfyouuseKerberosSSOorNTLMauthentication,youmustuseRedirectmode
becausethebrowserwillprovidecredentialsonlytotrustedsites.Redirectmode
isalsorequiredifyouuseMultiFactorAuthenticationtoauthenticateCaptive
Portalusers.

ConfigureCaptivePortal
ThefollowingprocedureshowshowtosetupCaptivePortalauthenticationbyconfiguringthePANOS
integratedUserIDagenttoredirectwebrequeststhatmatchanAuthenticationPolicyruletoafirewall
interface(redirecthost).Basedontheirsensitivity,theapplicationsthatusersaccessthroughCaptivePortal
requiredifferentauthenticationmethodsandsettings.Toaccommodateallauthenticationrequirements,
youcanusedefaultandcustomauthenticationenforcementobjects.Eachobjectassociatesan
AuthenticationrulewithanauthenticationprofileandaCaptivePortalauthenticationmethod.
DefaultauthenticationenforcementobjectsUsethedefaultobjectsifyouwanttoassociatemultiple
Authenticationruleswiththesameglobalauthenticationprofile.Youmustconfigurethisauthentication
profilebeforeconfiguringCaptivePortal,andthenassignitintheCaptivePortalSettings.For
AuthenticationrulesthatrequireMultiFactorAuthentication(MFA),youcannotusedefault
authenticationenforcementobjects.
CustomauthenticationenforcementobjectsUseacustomobjectforeachAuthenticationrulethat
requiresanauthenticationprofilethatdiffersfromtheglobalprofile.Customobjectsaremandatoryfor
AuthenticationrulesthatrequireMFA.Tousecustomobjects,createauthenticationprofilesandassign
themtotheobjectsafterconfiguringCaptivePortalwhenyouConfigureAuthenticationPolicy.
KeepinmindthatauthenticationprofilesarenecessaryonlyifusersauthenticatethroughaCaptivePortal
WebForm,KerberosSSO,orNTLANManager(NTLM).Alternatively,orinadditiontothesemethods,the
followingprocedurealsodescribeshowtoimplementClientCertificateAuthentication.
IfyouuseCaptivePortalwithouttheotherUserIDfunctions(usermappingandgroupmapping),
youdontneedtoconfigureaUserIDagent.

ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent
Step1 Configuretheinterfacesthatthefirewall 1. (MGTinterfaceonly)SelectDevice > Setup > Interfaces,edit

willuseforincomingwebrequests, theManagementinterface,selectUser-ID,andclickOK.
authenticatingusers,and 2. (NonMGTinterfaceonly)AssignanInterfaceManagement
communicatingwithdirectoryserversto profiletotheLayer3interfacethatthefirewallwillusefor
mapusernamestoIPaddresses. incomingwebrequestsandcommunicationwithdirectory
Thefirewallusesthemanagement(MGT) servers.YoumustenableResponse PagesandUser-IDinthe
interfaceforallthesefunctionsby InterfaceManagementprofile.
default,butyoucanconfigureother
3. (NonMGTinterfaceonly)Configureaservicerouteforthe
interfaces.Inredirectmode,youmust
interfacethatthefirewallwillusetoauthenticateusers.Ifthe
useaLayer3interfaceforredirecting
firewallhasmorethanonevirtualsystem(vsys),theservice
requests.
routecanbeglobalorvsysspecific.Theservicesmustinclude
LDAPandpotentiallythefollowing:
Kerberos,RADIUS,TACACS+,orMulti-Factor
AuthenticationConfigureaservicerouteforany
authenticationservicesthatyouuse.
UID AgentConfigurethisserviceonlyifyouwillenableNT
LANManager(NTLM)authenticationorifyouwillEnable
UserandGroupBasedPolicy.
4. (Redirectmodeonly)CreateaDNSaddress(A)recordthat
mapstheIPaddressontheLayer3interfacetotheredirect
host.IfyouwilluseKerberosSSO,youmustalsoaddaDNS
pointer(PTR)recordthatperformsthesamemapping.
Ifyournetworkdoesntsupportaccesstothedirectoryservers
fromanyfirewallinterface,youmustConfigureUserMapping
UsingtheWindowsUserIDAgent.
Step2 MakesureDomainNameSystem(DNS) Toverifyproperresolution,pingtheserverFQDN.Forexample:

isconfiguredtoresolveyourdomain admin@PA-200> ping host dc1.acme.com
controlleraddresses.

ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step3 ConfigureclientstotrustCaptivePortal Touseaselfsignedcertificate,createarootCAcertificateanduse

certificates. ittosignthecertificateyouwilluseforCaptivePortal:
Requiredforredirectmodeto 1. SelectDevice > Certificate Management > Certificates >
transparentlyredirectuserswithout Device Certificates.
displayingcertificateerrors.Youcan
2. CreateaSelfSignedRootCACertificateorimportaCA
generateaselfsignedcertificateor
certificate(seeImportaCertificateandPrivateKey).
importacertificatethatanexternal
certificateauthority(CA)signed. 3. GenerateaCertificatetouseforCaptivePortal.Besureto
configurethefollowingfields:
Common NameEntertheDNSnameoftheintranethost
fortheLayer 3interface.
Signed BySelecttheCAcertificateyoujustcreatedor
imported.
CertificateAttributesClickAdd,fortheTypeselectIPand,
fortheValue,entertheIPaddressoftheLayer 3interface
towhichthefirewallwillredirectrequests.
4. ConfigureanSSL/TLSServiceProfile.AssigntheCaptive
Portalcertificateyoujustcreatedtotheprofile.
5. Configureclientstotrustthecertificate:
a. ExporttheCAcertificateyoucreatedorimported.
b. ImportthecertificateasatrustedrootCAintoallclient
browsers,eitherbymanuallyconfiguringthebrowserorby
addingthecertificatetothetrustedrootsinanActive
Directory(AD)GroupPolicyObject(GPO).
Step4 (Optional)ConfigureClientCertificate 1. UsearootCAcertificatetogenerateaclientcertificatefor

Authentication. eachuserwhowillauthenticatethroughCaptivePortal.The
NOTE:Youdontneedanauthentication CAinthiscaseisusuallyyourenterpriseCA,notthefirewall.
profileorsequenceforclientcertificate 2. ExporttheCAcertificateinPEMformattoasystemthatthe
authentication.Ifyouconfigurebothan firewallcanaccess.
authenticationprofile/sequenceand
3. ImporttheCAcertificateontothefirewall:seeImporta
certificateauthentication,usersmust
CertificateandPrivateKey.Aftertheimport,clickthe
authenticateusingboth.
importedcertificate,selectTrusted Root CA,andclickOK.
4. ConfigureaCertificateProfile.
IntheUsername Fielddropdown,selectthecertificate
fieldthatcontainstheuseridentityinformation.
IntheCA Certificateslist,clickAddandselecttheCA
certificateyoujustimported.

Step5 (Optional)EnableNTLANManager 1. Ifyouhaventalreadydoneso,CreateaDedicatedService

(NTLM)authentication. AccountfortheUserIDAgent.
Asabestpractice,choose Asabestpractice,youuseaUserIDagentaccount
Kerberossinglesignon(SSO)or thatisseparatefromyourfirewalladministrator
SAMLSSOauthenticationover account.
NTLMauthentication.Kerberos 2. SelectDevice > User Identification > User Mappingandedit
andSAMLarestronger,more thePaloAltoNetworksUserIDAgentSetupsection.
robustauthenticationmethods
thanNTLManddonotrequire 3. SelectNTLMandEnable NTLM authentication processing.
thefirewalltohavean 4. EntertheNTLM DomainagainstwhichtheUserIDagenton
administrativeaccounttojointhe thefirewallwillcheckNTLMcredentials.
domain.Ifyoudoconfigure
5. EntertheAdmin User NameandPasswordoftheActive
NTLM,thePANOSintegrated
DirectoryaccountyoucreatedfortheUserIDagent.
UserIDagentmustbeableto
successfullyresolvetheDNS DonotincludethedomainintheAdmin User Name
nameofyourdomaincontroller field.Otherwise,thefirewallwillfailtojointhe
tojointhedomain. domain.
6. ClickOKtosaveyoursettings.

Step6 ConfiguretheCaptivePortalsettings. 1. SelectDevice > User Identification > Captive Portal Settings
andeditthesettings.
2. Enable Captive Portal(defaultisenabled).
3. SpecifytheTimer,whichisthemaximumtimeinminutesthat
thefirewallretainsanIPaddresstousernamemappingfora
userafterthatuserauthenticatesthroughCaptivePortal
(defaultis60;rangeis1to1,440).AftertheTimerexpires,the
firewallremovesthemappingandanyassociated
AuthenticationTimestampsusedtoevaluatetheTimeoutin
Authenticationpolicyrules.
WhenevaluatingtheCaptivePortalTimerandthe
TimeoutvalueineachAuthenticationpolicyrule,the
firewallpromptstheusertoreauthenticatefor
whicheversettingexpiresfirst.Upon
reauthenticating,thefirewallresetsthetimecount
fortheCaptivePortalTimerandrecordsnew
authenticationtimestampsfortheuser.Therefore,to
enabledifferentTimeoutperiodsfordifferent
Authenticationrules,settheCaptivePortalTimertoa
valuethesameasorhigherthananyruleTimeout.
4. SelecttheSSL/TLS Service Profileyoucreatedforredirect
requestsoverTLS.SeeConfigureanSSL/TLSServiceProfile.
5. SelecttheMode(inthisexample,Redirect).
6. (Redirectmodeonly)SpecifytheRedirect Host,whichisthe
intranethostname(ahostnamewithnoperiodinitsname)
thatresolvestotheIPaddressoftheLayer3interfaceonthe
firewalltowhichwebrequestsareredirected.
IfusersauthenticatethroughKerberossinglesignon
(SSO),theRedirect Hostmustbethesameasthe
hostnamespecifiedintheKerberoskeytab.
7. SelecttheauthenticationmethodtouseifNTLMfails(orif
youdontuseNTLM):
Touseclientcertificateauthentication,selectthe
Certificate Profileyoucreated.
TouseglobalsettingsforinteractiveorSSOauthentication,
selecttheAuthentication Profileyouconfigured.
TouseAuthenticationpolicyrulespecificsettingsfor
interactiveorSSOauthentication,assignauthentication
profilestoauthenticationenforcementobjectswhenyou
ConfigureAuthenticationPolicy.
8. ClickOKandCommittheCaptivePortalconfiguration.
Step7 Nextsteps... ThefirewalldoesnotdisplaytheCaptivePortalwebformtousers

untilyouConfigureAuthenticationPolicyrulesthattrigger
authenticationwhenusersrequestservicesorapplications.

ConfigureUserMappingforTerminalServerUsers
IndividualterminalserverusersappeartohavethesameIPaddressandthereforeanIP
addresstousernamemappingisnotsufficienttoidentifyaspecificuser.Toenableidentificationofspecific
usersonWindowsbasedterminalservers,thePaloAltoNetworksTerminalServicesagent(TSagent)
allocatesaportrangetoeachuser.Itthennotifieseveryconnectedfirewallabouttheallocatedportrange,
whichallowsthefirewalltocreateanIPaddressportusermappingtableandenableuserandgroupbased
securitypolicyenforcement.FornonWindowsterminalservers,youcanconfigurethePANOSXMLAPIto
extractusermappinginformation.
Thefollowingsectionsdescribehowtoconfigureusermappingforterminalserverusers:
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
UsethefollowingproceduretoinstallandconfiguretheTSagentontheterminalserver.Tomapallyour
users,youmustinstalltheTSagentonallterminalserversthatyourusersloginto.
ForinformationaboutthesupportedterminalserverssupportedbytheTSAgent,refertothe
PaloAltoNetworksCompatibilityMatrix.
Step1 DownloadtheTSagentinstaller. 1. LogintothePaloAltoNetworksCustomerSupportwebsite.

2. SelectSoftware UpdatesfromtheManageDevicessection.
3. ScrolltotheTerminal Services AgentsectionandDownload
theversionoftheagentyouwanttoinstall.
4. SavetheTaInstall64.x64-x.x.x-xx.msior
TaInstall-x.x.x-xx.msi file(besuretoselectthe
appropriateversionbasedonwhethertheWindowssystemis
runninga32bitOSora64bitOS)onthesystemswhereyou
plantoinstalltheagent.

ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
Step2 Runtheinstallerasanadministrator. 1. OpentheWindowsStartmenu,rightclicktheCommand

Promptprogram,andselectRun as administrator.
2. Fromthecommandline,runthe.msifileyoudownloaded.For
example,ifyousavedthe.msifiletotheDesktopyouwould
enterthefollowing:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>TaInstall-8.0.
0-1.msi
3. Followthesetuppromptstoinstalltheagentusingthedefault
settings.Bydefault,theagentgetsinstalledtothe
C:\Program Files (x86)\Palo Alto Networks\Terminal
Server Agentfolder,butyoucanBrowsetoadifferent
location.
4. Whentheinstallationcompletes,Closethesetupwindow.
NOTE:IfyouareupgradingtoaTSAgentversionthathasa
newerdriverthantheexistinginstallation,theinstallation
wizardpromptsyoutorebootthesystemafterupgradingin
ordertousethenewdriver.
Step3 Definetherangeofportsforthe 1. OpentheWindowsStartmenuandselectTerminal Server

TS Agenttoallocatetoendusers. AgenttolaunchtheTerminalServicesagentapplication.
NOTE:TheSystem Source Port 2. SelectConfigureinthesidemenu.
Allocation RangeandSystem Reserved
3. EntertheSource Port Allocation Range(default
Source Portsfieldsspecifytherangeof
2000039999).Thisisthefullrangeofportnumbersthatthe
portsthatwillbeallocatedtononuser
TSagentwillallocateforusermapping.Theportrangeyou
sessions.Makesurethevaluesspecified
specifycannotoverlapwiththeSystem Source Port
inthesefieldsdonotoverlapwiththe
Allocation Range.
portsyoudesignateforusertraffic.
Thesevaluescanonlybechangedby 4. (Optional)Ifthereareports/portrangeswithinthesource
editingthecorrespondingWindows portallocationthatyoudonotwanttheTSAgenttoallocate
registrysettings. tousersessions,specifythemasReserved Source Ports.To
includemultipleranges,usecommaswithnospaces,for
example:2000-3000,3500,4000-5000.
5. Specifythenumberofportstoallocatetoeachindividualuser
uponlogintotheterminalserverinthePort Allocation Start
Size Per User field(default200).
6. SpecifythePort Allocation Maximum Size Per User,whichis
themaximumnumberofportstheTerminalServicesagent
canallocatetoanindividualuser.
7. Specifywhethertocontinueprocessingtrafficfromtheuserif
theuserrunsoutofallocatedports.Bydefault,theFail port
binding when available ports are used upisselected,which
indicatesthattheapplicationwillfailtosendtrafficwhenall
portsareused.Toenableuserstocontinueusingapplications
whentheyrunoutofports,clearthischeckbox.Keepinmind
thatthistrafficmaynotbeidentifiedwithUserID.

Step4 (Optional)Assignyourowncertificates 1. ObtainyourcertificatefortheTSagentforyourenterprise

formutualauthenticationbetweenthe PKIorgenerateoneonyourfirewall.Theprivatekeyofthe
TSagentandthefirewall. servercertificatemustbeencrypted.Thecertificatemustbe
uploadedinPEMfileformat.
GenerateaCertificateandexportitforuploadtotheTS
agent.
Exportacertificatefromyourenterprisecertificate
authority(CA)andtheuploadittotheTSagent.
2. AddaservercertificatetoTSagent.
a. OntheTSagent,selectServer CertificateandclickAdd.
b. Enterthepathandnameofthecertificatefilereceived
fromtheCAorbrowsetothecertificatefile.
c. Entertheprivatekeypassword.
d. ClickOKandthenCommit.
3. Configureandassignthecertificateprofileforthefirewall.
a. SelectDevice > Certificate Management > Certificate
ProfiletoConfigureaCertificateProfile.
Youcanonlyassignonecertificateprofilefor
WindowsUserIDagentsandTSagents.Therefore,
yourcertificateprofilemustincludeallcertificate
authoritiesthatissuedcertificatesuploadedto
connectedWindowsUserIDandTSagents.
b. SelectDevice > User Identification > Connection Security
andclicktheeditbuttontoassignthecertificateprofile.
c. Selectthecertificateprofileyouconfiguredintheprevious
stepfromtheUserIDCertificateProfiledropdown.
d. ClickOK.
e. Commityourchanges.
Step5 Configurethefirewalltoconnecttothe Completethefollowingstepsoneachfirewallyouwanttoconnect

TerminalServicesagent. totheTerminalServicesagenttoreceiveusermappings:
1. SelectDevice > User Identification > Terminal Server Agents
andclickAdd.
2. EnteraNamefortheTerminalServicesagent.
3. EntertheIPaddressoftheWindowsHostonwhichthe
TerminalServicesagentisinstalled.
4. EnterthePortnumberonwhichtheagentwilllistenforuser
mappingrequests.Thisvaluemustmatchthevalueconfigured
ontheTerminalServicesagent.Bydefault,theportissetto
5009onthefirewallandontheagent.Ifyouchangeithere,
youmustalsochangetheListening PortfieldontheTerminal
ServicesagentConfigurescreen.
5. MakesurethattheconfigurationisEnabledandthenclickOK.
6. Committhechanges.
7. VerifythattheConnected statusdisplaysasconnected(a
greenlight).

Step6 VerifythattheTerminalServicesagentis 1. OpentheWindowsStartmenuandselectTerminal Server

successfullymappingIPaddressesto Agent.
usernamesandthatthefirewallscan 2. Verifythatthefirewallscanconnectbymakingsurethe
connecttotheagent. Connection StatusofeachfirewallintheConnectionListis
Connected.
3. VerifythattheTerminalServicesagentissuccessfully
mappingportrangestousernamesbyselectingMonitorinthe
sidemenuandmakingsurethatthemappingtableis
populated.
Step7 (Windows2012R2serversonly)Disable PerformthesestepsontheWindowsServer:

EnhancedProtectedModeinMicrosoft 1. StartInternetExplorer.
InternetExplorerforeachuserwhouses
thatbrowser. 2. SelectInternet options > Advancedandscrolldowntothe
Securitysection.
Thistaskisnotnecessaryforother
browserssuchasGoogleChromeor 3. ClearEnable Enhanced Protected Mode.
MozillaFirefox. 4. ClickOK.
TodisableEnhancedProtected NOTE:InInternetExplorer,PaloAltoNetworksrecommendsthat
Modeforallusers,useLocal youdonotdisableProtectedMode,whichdiffersfromEnhanced
SecurityPolicy. ProtectedMode.
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ThePANOSXMLAPIusesstandardHTTPrequeststosendandreceivedata.APIcallscanbemadedirectly
fromcommandlineutilitiessuchascURLorusinganyscriptingorapplicationframeworkthatsupports
RESTfulservices.
ToenableanonWindowsterminalservertosendusermappinginformationdirectlytothefirewall,create
scriptsthatextracttheuserloginandlogouteventsandusethemforinputtothePANOSXMLAPIrequest
format.ThendefinethemechanismsforsubmittingtheXMLAPIrequest(s)tothefirewallusingcURLor
wgetandprovidingthefirewallsAPIkeyforsecurecommunication.Creatingusermappingsfrommultiuser
systemssuchasterminalserversrequiresuseofthefollowingAPImessages:
<multiusersystem>SetsuptheconfigurationforanXMLAPIMultiuserSystemonthefirewall.
ThismessageallowsfordefinitionoftheterminalserverIPaddress(thiswillbethesourceaddressforall
usersonthatterminalserver).Inaddition,the<multiusersystem>setupmessagespecifiestherangeof
sourceportnumberstoallocateforusermappingandthenumberofportstoallocatetoeachindividual
useruponlogin(calledtheblocksize).Ifyouwanttousethedefaultsourceportallocationrange
(102565534)andblocksize(200),youdonotneedtosenda<multiusersystem>setupeventtothe
firewall.Instead,thefirewallwillautomaticallygeneratetheXMLAPIMultiuserSystemconfiguration
withthedefaultsettingsuponreceiptofthefirstuserlogineventmessage.
<blockstart>Usedwiththe<login>and<logout>messagestoindicatethestartingsourceport
numberallocatedtotheuser.Thefirewallthenusestheblocksizetodeterminetheactualrangeofport
numberstomaptotheIPaddressandusernameintheloginmessage.Forexample,ifthe<blockstart>
valueis13200andtheblocksizeconfiguredforthemultiusersystemis300,theactualsourceport
rangeallocatedtotheuseris13200through13499.Eachconnectioninitiatedbytheusershouldusea
uniquesourceportnumberwithintheallocatedrange,enablingthefirewalltoidentifytheuserbasedon
itsIPaddressportusermappingsforenforcementofuserandgroupbasedsecurityrules.Whenauser
exhaustsalltheportsallocated,theterminalservermustsendanew<login>messageallocatinganew
portrangefortheusersothatthefirewallcanupdatetheIPaddressportusermapping.Inaddition,a

singleusernamecanhavemultipleblocksofportsmappedsimultaneously.Whenthefirewallreceivesa
<logout>messagethatincludesa<blockstart>parameter,itremovesthecorrespondingIP
addressportusermappingfromitsmappingtable.Whenthefirewallreceivesa<logout>messagewith
ausernameandIPaddress,butno<blockstart>,itremovestheuserfromitstable.And,ifthefirewall
receivesa<logout>messagewithanIPaddressonly,itremovesthemultiusersystemandallmappings
associatedwithit.
TheXMLfilesthattheterminalserversendstothefirewallcancontainmultiplemessagetypes
andthemessagesdonotneedtobeinanyparticularorderwithinthefile.However,upon
receivinganXMLfilethatcontainsmultiplemessagetypes,thefirewallwillprocesstheminthe
followingorder:multiusersystemrequestsfirst,followedbylogins,thenlogouts.
ThefollowingworkflowprovidesanexampleofhowtousethePANOSXMLAPItosendusermappings
fromanonWindowsterminalservertothefirewall.
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers
Step1 GeneratetheAPIkeythat Fromabrowser,logintothefirewall.Then,togeneratetheAPIkeyforthe

willbeusedtoauthenticate firewall,openanewbrowserwindowandenterthefollowingURL:
theAPIcommunication https://<Firewall-IPaddress>/api/?type=keygen&user=<username>&
betweenthefirewallandthe password=<password>
terminalserver.Togenerate Where<Firewall-IPaddress> istheIPaddressorFQDNofthefirewalland

<username> and<password> arethecredentialsfortheadministrativeuser
thekeyyoumustprovide
logincredentialsforan accountonthefirewall.Forexample:
administrativeaccount;the https://10.1.2.5/api/?type=keygen&user=admin&password=admin
APIisavailabletoall Thefirewallrespondswithamessagecontainingthekey,forexample:
administrators(including <response status="success">
rolebasedadministrators <result>
withXMLAPIprivileges <key>k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg=</key>
enabled). </result>
NOTE:Anyspecialcharacters </response>
inthepasswordmustbe
URL/percentencoded.

UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Step2 (Optional)Generateasetup Thefollowingshowsasamplesetupmessage:

messagethattheterminal <uid-message>
serverwillsendtospecifythe <payload>
portrangeandblocksizeof
<multiusersystem>
portsperuserthatyour
<entry ip="10.1.1.23" startport="20000"
terminalservicesagentuses.
endport="39999" blocksize="100">
Iftheterminalservicesagent
</multiusersystem>
doesnotsendasetup
</payload>
message,thefirewallwill
automaticallycreatea <type>update</type>
TerminalServicesagent <version>1.0</version>
configurationusingthe </uid-message>
followingdefaultsettings whereentry ipspecifiestheIPaddressassignedtoterminalserverusers,
uponreceiptofthefirstlogin startportandendportspecifytheportrangetousewhenassigningportsto
message: individualusers,andblocksizespecifiesthenumberofportstoassignto
Defaultportrange:1025 eachuser.Themaximumblocksizeis4000andeachmultiusersystemcan
to65534 allocateamaximumof1000blocks.
Peruserblocksize:200 Ifyoudefineacustomblocksizeandorportrange,keepinmindthatyoumust
configurethevaluessuchthateveryportintherangegetsallocatedandthat
Maximumnumberof
therearenogapsorunusedports.Forexample,ifyousettheportrangeto
multiusersystems:1,000
10001499,youcouldsettheblocksizeto100,butnotto200.Thisis
becauseifyousetitto200,therewouldbeunusedportsattheendofthe
range.
Step3 Createascriptthatwill ThefollowingshowstheinputfileformatforaPANOSXMLloginevent:

extractthelogineventsand <uid-message>
createtheXMLinputfileto <payload>
sendtothefirewall.
<login>
Makesurethescriptenforces
<entry name="acme\jjaso" ip="10.1.1.23" blockstart="20000">
assignmentofportnumber
rangesatfixedboundaries <entry name="acme\jparker" ip="10.1.1.23" blockstart="20100">
withnoportoverlaps.For <entry name="acme\ccrisp" ip="10.1.1.23" blockstart="21000">
example,iftheportrangeis </login>
10001999andtheblock </payload>
sizeis200,acceptable
<type>update</type>
blockstartvalueswouldbe
1000,1200,1400,1600,or <version>1.0</version>
1800.Blockstartvaluesof </uid-message>
1001,1300,or1850would Thefirewallusesthisinformationtopopulateitsusermappingtable.Basedon
beunacceptablebecause themappingsextractedfromtheexampleabove,ifthefirewallreceiveda
someoftheportnumbersin packetwithasourceaddressandportof10.1.1.23:20101,itwouldmapthe
therangewouldbeleft requesttouserjparkerforpolicyenforcement.
unused. NOTE:Eachmultiusersystemcanallocateamaximumof1,000portblocks.
NOTE:Theloginevent
payloadthattheterminal
serversendstothefirewall
cancontainmultiplelogin
events.

Step4 Createascriptthatwill ThefollowingshowstheinputfileformatforaPANOSXMLlogoutevent:

extractthelogouteventsand <uid-message>
createtheXMLinputfileto <payload>
sendtothefirewall.
<logout>
Uponreceiptofalogout <entry name="acme\jjaso" ip="10.1.1.23"
eventmessagewitha blockstart="20000">
blockstartparameter,the
<entry name="acme\ccrisp" ip="10.1.1.23">
firewallremovesthe
<entry ip="10.2.5.4">
correspondingIP
</logout>
addressportusermapping.If
thelogoutmessagecontains </payload>
ausernameandIPaddress, <type>update</type>
butnoblockstart <version>1.0</version>
parameter,thefirewall </uid-message>
removesallmappingsforthe NOTE:Youcanalsoclearthemultiusersystementryfromthefirewallusing
user.Ifthelogoutmessage thefollowingCLIcommand:clear xml-api multiusersystem
containsanIPaddressonly,
thefirewallremovesthe
multiusersystemandall
associatedmappings.
Step5 Makesurethatthescripts OnewaytodothiswouldbetousenetfilterNATrulestohideusersessions

youcreateincludeawayto behindthespecificportrangesallocatedviatheXMLAPIbasedontheuid.For
dynamicallyenforcethatthe example,toensurethatauserwiththeuserIDjjasoismappedtoasource
portblockrangeallocated networkaddresstranslation(SNAT)valueof10.1.1.23:2000020099,the
usingtheXMLAPImatches scriptyoucreateshouldincludethefollowing:
theactualsourceport [root@ts1 ~]# iptables -t nat -A POSTROUTING -m owner --uid-owner jjaso
assignedtotheuseronthe -p tcp -j SNAT --to-source 10.1.1.23:20000-20099
terminalserverandthatthe Similarly,thescriptsyoucreateshouldalsoensurethattheIPtablerouting
mappingisremovedwhen configurationdynamicallyremovestheSNATmappingwhentheuserlogsout
theuserlogsoutortheport ortheportallocationchanges:
allocationchanges. [root@ts1 ~]# iptables -t nat -D POSTROUTING 1
Step6 Definehowtopackagethe Toapplythefilestothefirewallusingwget:

XMLinputfilescontainingthe > wget --post file <filename>
setup,login,andlogout https://<Firewall-IPaddress>/api/?type=user-id&key=<key>&file-name=<inp
ut_filename.xml>&client=wget&vsys=<VSYS_name>
eventsintowgetorcURL Forexample,thesyntaxforsendinganinputfilenamedlogin.xmltothe
messagesfortransmissionto firewallat10.2.5.11usingkey
thefirewall. k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg usingwgetwould
lookasfollows:
> wget --post file login.xml
https://10.2.5.11/api/?type=user-id&key=k7J335J6hI7nBxIqyfa62sZugWx
7ot%2BgzEA9UOnlZRg&file-name=login.xml&client=wget&vsys=vsys1
ToapplythefiletothefirewallusingcURL:
> curl --form file=@<filename>
https://<Firewall-IPaddress>/api/?type=user-id&key=<key>&vsys=<VSYS_name
>
Forexample,thesyntaxforsendinganinputfilenamedlogin.xmltothe
firewallat10.2.5.11usingkey
k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRgusingcURLwould
lookasfollows:
> curl --form file@login.xml
https://10.2.5.11/api/?type=user-id&key=k7J335J6hI7nBxIqyfa62sZugWx7ot%
2BgzEA9UOnlZRg&vsys=vsys1

Step7 Verifythatthefirewallis VerifytheconfigurationbyopeninganSSHconnectiontothefirewalland

successfullyreceivinglogin thenrunningthefollowingCLIcommands:
eventsfromtheterminal ToverifyiftheterminalserverisconnectingtothefirewalloverXML:
servers. admin@PA-5050> show user xml-api multiusersystem
Host Vsys Users Blocks
----------------------------------------
10.5.204.43 vsys1 5 2
Toverifythatthefirewallisreceivingmappingsfromaterminalserverover
XML:
admin@PA-5050> show user ip-port-user-mapping all
Global max host index 1, host hash count 1
XML API Multi-user System 10.5.204.43

Vsys 1, Flag 3
Port range: 20000 - 39999
Port size: start 200; max 2000
Block count 100, port count 20000
20000-20199: acme\administrator
Total host: 1
SendUserMappingstoUserIDUsingtheXMLAPI
UserIDprovidesmanyoutoftheboxmethodsforobtainingusermappinginformation.However,you
mighthaveapplicationsordevicesthatcaptureuserinformationbutcannotnativelyintegratewithUserID.
Forexample,youmighthaveacustom,internallydevelopedapplicationoradevicethatnostandarduser
mappingmethodsupports.Insuchcases,youcanusethePANOSXMLAPItocreatecustomscriptsthat
sendtheinformationtothePANOSintegratedUserIDagentordirectlytothefirewall.ThePANOSXML
APIusesstandardHTTPrequeststosendandreceivedata.APIcallscanbemadedirectlyfromcommand
lineutilitiessuchascURLorusinganyscriptingorapplicationframeworkthatsupportsPOSTandGET
requests.
ToenableanexternalsystemtosendusermappinginformationtothePANOSintegratedUserIDagent,
createscriptsthatextractuserloginandlogouteventsandusetheeventsasinputtothePANOSXMLAPI
request.ThendefinethemechanismsforsubmittingtheXMLAPIrequeststothefirewall(usingcURL,for
example)andusetheAPIkeyofthefirewallforsecurecommunication.Formoredetails,refertothe
PANOSXMLAPIUsageGuide.

EnableUserandGroupBasedPolicy UserID
EnableUserandGroupBasedPolicy
AfteryouEnableUserID,youwillbeabletoconfigureSecurityPolicythatappliestospecificusersand
groups.Userbasedpolicycontrolscanalsoincludeapplicationinformation(includingwhichcategoryand
subcategoryitbelongsin,itsunderlyingtechnology,orwhattheapplicationcharacteristicsare).Youcan
definepolicyrulestosafelyenableapplicationsbasedonusersorgroupsofusers,ineitheroutboundor
inbounddirections.
Examplesofuserbasedpoliciesinclude:
EnableonlytheITdepartmenttousetoolssuchasSSH,telnet,andFTPonstandardports.
AllowtheHelpDeskServicesgrouptouseSlack.
AllowalluserstoreadFacebook,butblocktheuseofFacebookapps,andrestrictpostingtoemployees
inmarketing.

UserID EnablePolicyforUserswithMultipleAccounts
EnablePolicyforUserswithMultipleAccounts
Ifauserinyourorganizationhasmultipleresponsibilities,thatusermighthavemultipleusernames
(accounts),eachwithdistinctprivilegesforaccessingaparticularsetofservices,butwithalltheusernames
sharingthesameIPaddress(theclientsystemoftheuser).However,theUserIDagentcanmapanyoneIP
address(orIPaddressandportrangeforterminalserverusers)toonlyoneusernameforenforcingpolicy,
andyoucantpredictwhichusernametheagentwillmap.Tocontrolaccessforalltheusernamesofauser,
youmustmakeadjustmentstotherules,usergroups,andUserIDagent.
Forexample,saythefirewallhasarulethatallowsusernamecorp_usertoaccessemailandarulethatallows
usernameadmin_usertoaccessaMySQLserver.Theuserlogsinwitheitherusernamefromthesameclient
IPaddress.IftheUserIDagentmapstheIPaddresstocorp_user,thenwhethertheuserlogsinascorp_user
oradmin_user,thefirewallidentifiesthatuserascorp_userandallowsaccesstoemailbutnottheMySQL
server.Ontheotherhand,iftheUserIDagentmapstheIPaddresstoadmin_user,thefirewallalways
identifiestheuserasadmin_userregardlessofloginandallowsaccesstotheMySQLserverbutnotemail.
Thefollowingstepsdescribehowtoenforcebothrulesinthisexample.
EnablePolicyforaUserwithMultipleAccounts
Step1 Configureausergroupforeachservice Ifyourorganizationalreadyhasusergroupsthatcanaccessthe

thatrequiresdistinctaccessprivileges. servicesthattheuserrequires,simplyaddtheusernamethatis
Inthisexample,eachgroupisforasingle usedforlessrestrictedservicestothosegroups.Inthisexample,
service(emailorMySQLserver). theemailserverrequireslessrestrictedaccessthantheMySQL
However,itiscommontoconfigureeach server,andcorp_useristheusernameforaccessingemail.
groupforasetofservicesthatrequire Therefore,youaddcorp_usertoagroupthatcanaccessemail
thesameprivileges(forexample,one (corp_employees)andtoagroupthatcanaccesstheMySQLserver
groupforallbasicuserservicesandone (network_services).
groupforalladministrativeservices). Ifaddingausernametoaparticularexistinggroupwouldviolate
yourorganizationalpractices,youcancreateacustomgroupbased
onanLDAPfilter.Forthisexample,saynetwork_servicesisa
customgroup,whichyouconfigureasfollows:
1. SelectDevice > User Identification > Group Mapping Settings
andAddagroupmappingconfigurationwithauniqueName.
2. SelectanLDAPServer ProfileandensuretheEnabledcheck
boxisenabled.
3. SelecttheCustom GrouptabandAddacustomgroupwith
network_servicesasaName.
4. SpecifyanLDAP FilterthatmatchesanLDAPattributeof
corp_userandclickOK.
NOTE:Later,ifotherusersthatareinthegroupforlessrestricted
servicesaregivenadditionalusernamesthataccessmorerestricted
services,youcanaddthoseusernamestothegroupformore
restrictedservices.Thisscenarioismorecommonthantheinverse;
auserwithaccesstomorerestrictedservicesusuallyalreadyhas
accesstolessrestrictedservices.

EnablePolicyforUserswithMultipleAccounts UserID
EnablePolicyforaUserwithMultipleAccounts(Continued)
Step2 Configuretherulesthatcontroluser Enableuserandgroupbasedpolicyenforcement.

accessbasedonthegroupsyoujust 1. Configureasecurityrulethatallowsthecorp_employees
configured. grouptoaccessemail.
2. Configureasecurityrulethatallowsthenetwork_services
grouptoaccesstheMySQLserver.
Step3 ConfiguretheignorelistoftheUserID Inthisexample,youaddadmin_usertotheignorelistofthe

agent. WindowsbasedUserIDagenttoensurethatitmapstheclientIP
ThisensuresthattheUserIDagent addresstocorp_user.Thisguaranteesthat,whethertheuserlogs
mapstheclientIPaddressonlytothe inascorp_useroradmin_user,thefirewallidentifiestheuseras
usernamethatisamemberofthegroups corp_userandappliesbothrulesthatyouconfiguredbecause
assignedtotherulesyoujustconfigured. corp_userisamemberofthegroupsthattherulesreference.
Theignorelistmustcontainallthe 1. Createanignore_user_list.txtfile.
usernamesoftheuserthatarenot
2. Openthefileandaddadmin_user.
membersofthosegroups.
Ifyoulateraddmoreusernames,eachmustbeonaseparate
line.
3. SavethefiletotheUserIDagentfolderonthedomainserver
wheretheagentisinstalled.
NOTE:IfyouusethePANOSintegratedUserIDagent,see
ConfigureUserMappingUsingthePANOSIntegratedUserID
Agentforinstructionsonhowtoconfiguretheignorelist.
Step4 Configureendpointauthenticationfor Inthisexample,youhaveconfiguredafirewallrulethatallows

therestrictedservices. corp_user,asamemberofthenetwork_servicesgroup,tosenda
Thisenablestheendpointtoverifythe servicerequesttotheMySQLserver.Youmustnowconfigurethe
credentialsoftheuserandpreservesthe MySQLservertorespondtoanyunauthorizedusername(suchas
abilitytoenableaccessforuserswith corp_user)bypromptingtheusertoenterthelogincredentialsof
multipleusernames. anauthorizedusername(admin_user).
NOTE:Iftheuserlogsintothenetworkasadmin_user,theuser
canthenaccesstheMySQLserverwithoutitpromptingforthe
admin_usercredentialsagain.
Inthisexample,bothcorp_userandadmin_userhaveemail
accounts,sotheemailserverwontpromptforadditional
credentialsregardlessofwhichusernametheuserenteredwhen
loggingintothenetwork.
Thefirewallisnowreadytoenforcerulesforauserwithmultiple
usernames.

UserID VerifytheUserIDConfiguration
Afteryouconfigureuserandgroupmapping,enableUserIDinyourSecuritypolicy,andconfigure
Authenticationpolicy,youshouldverifythatUserIDworksproperly.
Step1 AccessthefirewallCLI.
Step2 Verifythatgroupmappingisworking. FromtheCLI,enterthefollowingoperationalcommand:

> show user group-mapping statistics
Step3 Verifythatusermappingisworking. IfyouareusingthePANOSintegratedUserIDagent,youcan

verifythisfromtheCLIusingthefollowingcommand:
> show user ip-user-mapping-mp all
IP Vsys From User Timeout (sec)
------------------------------------------------------
192.168.201.1 vsys1 UIA acme\george 210
192.168.201.11 vsys1 UIA acme\duane 210
192.168.201.50 vsys1 UIA acme\betsy 210
192.168.201.10 vsys1 UIA acme\administrator 210
192.168.201.100 vsys1 AD acme\administrator 748
Total: 5 users
*: WMI probe succeeded
Step4 TestyourSecuritypolicyrule. FromamachineinthezonewhereUserIDisenabled,attempt

toaccesssitesandapplicationstotesttherulesyoudefinedin
yourpolicyandensurethattrafficisallowedanddeniedas
expected.
Youcanalsousethetest security-policy-matchoperational
commandtodeterminewhetherthepolicyisconfigured
correctly.Forexample,supposeyouhavearulethatblocksuser
duanefromplayingWorldofWarcraft;youcouldtestthepolicy
asfollows:
> test security-policy-match application
worldofwarcraft source-user acme\duane source any
destination any destination-port any protocol 6
"deny worldofwarcraft" {
from corporate;
source any;
source-region any;
to internet;
destination any;
destination-region any;
user acme\duane;
category any;
application/service worldofwarcraft;
action deny;
terminal no;
}

VerifytheUserIDConfiguration UserID
VerifytheUserIDConfiguration(Continued)
Step5 TestyourAuthenticationpolicyand 1. Fromthesamezone,gotoamachinethatisnotamemberof

CaptivePortalconfiguration. yourdirectory,suchasaMacOSsystem,andtrytopingtoa
systemexternaltothezone.Thepingshouldworkwithout
requiringauthentication.
2. Fromthesamemachine,openabrowserandnavigatetoa
websiteinadestinationzonethatmatchesanAuthentication
ruleyoudefined.TheCaptivePortalwebformshoulddisplay
andpromptyouforlogincredentials.
3. Loginusingthecorrectcredentialsandconfirmthatyouare
redirectedtotherequestedpage.
4. YoucanalsotestyourAuthenticationpolicyusingthetest
cp-policy-match operationalcommandasfollows:
> test cp-policy-match from corporate to internet
source 192.168.201.10 destination 8.8.8.8
Matched rule: 'captive portal' action: web-form
Step6 Verifythatthelogfilesdisplay Selectalogspage(suchasMonitor > Logs > Traffic)andverifythat

usernames. theSourceUsercolumndisplaysusernames.
Step7 Verifythatreportsdisplayusernames. 1. SelectMonitor > Reports.

2. Selectareporttypethatincludesusernames.Forexample,the
DeniedApplicationsreport,SourceUsercolumn,should
displayalistoftheuserswhoattemptedtoaccessthe
applications.

UserID DeployUserIDinaLargeScaleNetwork
DeployUserIDinaLargeScaleNetwork
AlargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsquerytomapIPaddressesto
usernamesandtomapusernamestousergroups.YoucansimplifyUserIDadministrationforsucha
networkbyaggregatingtheusermappingandgroupmappinginformationbeforetheUserIDagentscollect
it,therebyreducingthenumberofrequiredagents.
Alargescalenetworkcanalsohavenumerousfirewallsthatusethemappinginformationtoenforcepolicies.
Youcanreducetheresourcesthatthefirewallsandinformationsourcesuseinthequeryingprocessby
configuringsomefirewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.
Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesfor
authentication(suchasregionaldirectoryservices)butneedaccesstoremoteservicesandapplications(such
asglobaldatacenterapplications).
IfyouConfigureAuthenticationPolicy,yourfirewallsmustalsoredistributetheAuthenticationTimestamps
associatedwithuserresponsestoauthenticationchallenges.Firewallsusethetimestampstoevaluatethe
timeoutsforAuthenticationpolicyrules.Thetimeoutsallowauserwhosuccessfullyauthenticatestolater
requestservicesandapplicationswithoutauthenticatingagainwithinthetimeoutperiods.Redistributing
timestampsenablesyoutoenforceconsistenttimeoutsforeachuserevenifthefirewallthatinitiallygrants
auseraccessisnotthesamefirewallthatlatercontrolsaccessforthatuser.
DeployUserIDforNumerousMappingInformationSources
RedistributeUserMappingsandAuthenticationTimestamps
DeployUserIDforNumerousMappingInformationSources
YoucanuseWindowsLogForwardingandGlobalCatalogserverstosimplifyusermappingandgroup
mappinginalargescalenetworkofMicrosoftActiveDirectory(AD)domaincontrollersorExchangeservers.
ThesemethodssimplifyUserIDadministrationbyaggregatingthemappinginformationbeforetheUserID
agentscollectit,therebyreducingthenumberofrequiredagents.
WindowsLogForwardingandGlobalCatalogServers
PlanaLargeScaleUserIDDeployment
ConfigureWindowsLogForwarding
ConfigureUserIDforNumerousMappingInformationSources
WindowsLogForwardingandGlobalCatalogServers
BecauseeachUserIDagentcanmonitorupto100servers,thefirewallneedsmultipleUserIDagentsto
monitoranetworkwithhundredsofADdomaincontrollersorExchangeservers.Creatingandmanaging
numerousUserIDagentsinvolvesconsiderableadministrativeoverhead,especiallyinexpandingnetworks
wheretrackingnewdomaincontrollersisdifficult.WindowsLogForwardingenablesyoutominimizethe
administrativeoverheadbyreducingthenumberofserverstomonitorandtherebyreducingthenumberof
UserIDagentstomanage.WhenyouconfigureWindowsLogForwarding,multipledomaincontrollers
exporttheirlogineventstoasingledomainmemberfromwhichaUserIDagentcollectstheusermapping
information.

DeployUserIDinaLargeScaleNetwork UserID
YoucanconfigureWindowsLogForwardingforWindowsServerversions2003,2008,2008R2,
2012,and2012R2.WindowsLogForwardingisnotavailablefornonMicrosoftservers.
Tocollectgroupmappinginformationinalargescalenetwork,youcanconfigurethefirewalltoquerya
GlobalCatalogserverthatreceivesaccountinformationfromthedomaincontrollers.
Thefollowingfigureillustratesusermappingandgroupmappingforalargescalenetworkinwhichthe
firewallusesaWindowsbasedUserIDagent.SeePlanaLargeScaleUserIDDeploymenttodetermineif
thisdeploymentsuitsyournetwork.
PlanaLargeScaleUserIDDeployment
WhendecidingwhethertouseWindowsLogForwardingandGlobalCatalogserversforyourUserID
implementation,consultyoursystemadministratortodetermine:
Bandwidthrequiredfordomaincontrollerstoforwardlogineventstomemberservers.Thebandwidthis
amultipleoftheloginrate(numberofloginsperminute)ofthedomaincontrollersandthebytesizeof
eachloginevent.
Notethatdomaincontrollerswontforwardtheirentiresecuritylogs;theyforwardonlytheeventsthat
theusermappingprocessrequiresperlogin:threeeventsforWindowsServer2003orfoureventsfor
WindowsServer2008/2012andMSExchange.
Whetherthefollowingnetworkelementssupporttherequiredbandwidth:

DomaincontrollersMustsupporttheprocessingloadassociatedwithforwardingtheevents.
MemberServersMustsupporttheprocessingloadassociatedwithreceivingtheevents.
ConnectionsThegeographicdistribution(localorremote)ofthedomaincontrollers,member
servers,andGlobalCatalogserversisafactor.Generally,aremotedistributionsupportsless
bandwidth.
ToconfigureWindowsLogForwarding,youneedadministrativeprivilegesforconfiguringgrouppolicieson
Windowsservers.ConfigureWindowsLogForwardingoneverymemberserverthatwillcollectloginevents
fromdomaincontrollers.Thefollowingisanoverviewofthetasks;consultyourWindowsServer
documentationforthespecificsteps.
Step1 Oneverymemberserverthatwillcollectsecurityevents,enableeventcollection,addthedomaincontrollers
aseventsources,andconfiguretheeventcollectionquery(subscription).Theeventsyouspecifyinthe
subscriptionvarybydomaincontrollerplatform:
WindowsServer2003TheeventIDsfortherequiredeventsare672(AuthenticationTicketGranted),
673(ServiceTicketGranted),and674(TicketGrantedRenewed).
WindowsServer2008/2012(includingR2)orMSExchangeTheeventIDsfortherequiredeventsare
4768(AuthenticationTicketGranted),4769(ServiceTicketGranted),4770(TicketGrantedRenewed),and
4624(LogonSuccess).
Youmustforwardeventstothesecuritylogslocationonthememberservers,nottothedefault
forwardedlogslocation.Todoso,ontheWindowsEventCollectorthatisreceivingthelogs,youmust
changethelogpathsothattheForwardedEventsarewrittentotheSecuritylogslocation.
1.OpenEventViewerontheWindowsEventCollector.
2.RightclickontheForwardedEventsfolderandselectProperties.
3.Inlogpath,changethepathfrom
%SystemRoot%\System32\Winevt\Logs\ForwardedEvents.evtxto
%SystemRoot%\System32\Winevt\Logs\security.evtx
Toforwardeventsasquicklyaspossible,selecttheMinimize Latencyoptionwhenconfiguringthe
subscription.
Step2 ConfigureagrouppolicytoenableWindowsRemoteManagement(WinRM)onthedomaincontrollers.
Step3 ConfigureagrouppolicytoenableWindowsEventForwardingonthedomaincontrollers.
Step1 ConfigureWindowsLogForwardingon ConfigureWindowsLogForwarding.Thissteprequires

thememberserversthatwillcollect administrativeprivilegesforconfiguringgrouppolicieson
loginevents. Windowsservers.

ConfigureUserIDforNumerousMappingInformationSources(Continued)
Step2 InstalltheWindowsbasedUserID InstalltheWindowsBasedUserIDAgentonaWindowsserver

agent. thatcanaccessthememberservers.Makesurethesystemthatwill
hosttheUserIDagentisamemberofthesamedomainasthe
serversitwillmonitor.
Step3 ConfiguretheUserIDagenttocollect 1. StarttheWindowsbasedUserIDagent.

usermappinginformationfromthe 2. SelectUser Identification > Discoveryandperformthe
memberservers. followingstepsforeachmemberserverthatwillreceive
eventsfromdomaincontrollers:
a. IntheServerssection,clickAddandenteraNameto
identifythememberserver.
b. IntheServer Addressfield,entertheFQDNorIPaddress
ofthememberserver.
c. FortheServer Type,selectMicrosoft Active Directory.
d. ClickOKtosavetheserverentry.
3. ConfiguretheremainingUserIDagentsettings:see
ConfiguretheWindowsBasedUserIDAgentforUser
Mapping.
Step4 ConfigureanLDAPserverprofileto 1. SelectDevice > Server Profiles > LDAP,clickAdd,andentera

specifyhowthefirewallconnectstothe Namefortheprofile.
GlobalCatalogservers(uptofour)for 2. IntheServerssection,foreachGlobalCatalog,clickAddand
groupmappinginformation. entertheserverName,IPaddress(LDAP Server),andPort.
Toimproveavailability,useat ForaplaintextorStartTransportLayerSecurity(StartTLS)
leasttwoGlobalCatalogservers connection,usePort3268.ForanLDAPoverSSLconnection,
forredundancy. usePort3269.IftheconnectionwilluseStartTLSorLDAP
Youcancollectgroupmapping overSSL,selecttheRequire SSL/TLS secured connection
informationonlyforuniversalgroups, checkbox.
notlocaldomaingroups(subdomains). 3. IntheBase DNfield,entertheDistinguishedName(DN)of
thepointintheGlobalCatalogserverwherethefirewallwill
startsearchingforgroupmappinginformation(forexample,
DC=acbdomain,DC=com).
4. FortheType,selectactive-directory.
5. Configuretheremainingfieldsasnecessary:seeAddanLDAP
serverprofile..
Step5 ConfigureanLDAPserverprofileto ThestepsarethesameasfortheLDAPserverprofileyoucreated

specifyhowthefirewallconnectstothe forGlobalCatalogsintheStep 4,exceptforthefollowingfields:
servers(uptofour)thatcontaindomain LDAP ServerEntertheIPaddressofthedomaincontroller
mappinginformation. thatcontainsthedomainmappinginformation.
UserIDusesthisinformationtomap PortForaplaintextorStartTLSconnection,usePort389.For
DNSdomainnamestoNetBIOSdomain anLDAPoverSSLconnection,usePort636.Iftheconnection
names.Thismappingensuresconsistent willuseStartTLSorLDAPoverSSL,selecttheRequire SSL/TLS
domain/usernamereferencesinpolicy secured connectioncheckbox.
rules. Base DNSelecttheDNofthepointinthedomaincontroller
Toimproveavailability,useat wherethefirewallwillstartsearchingfordomainmapping
leasttwoserversforredundancy. information.Thevaluemuststartwiththestring:
cn=partitions,cn=configuration(forexample,
cn=partitions,cn=configuration,DC=acbdomain,DC=com).

ConfigureUserIDforNumerousMappingInformationSources(Continued)
Step6 Createagroupmappingconfiguration 1. SelectDevice > User Identification > Group Mapping Settings.
foreachLDAPserverprofileyou 2. ClickAddandenteraNametoidentifythegroupmapping
created. configuration.
3. SelecttheLDAPServer ProfileandensuretheEnabledcheck
boxisselected.
4. Configuretheremainingfieldsasnecessary:seeMapUsersto
Groups.
IftheGlobalCataloganddomainmappingservers
referencemoregroupsthanyoursecurityrules
require,configuretheGroup Include Listand/or
Custom Grouplisttolimitthegroupsforwhich
UserIDperformsmapping.
RedistributeUserMappingsandAuthenticationTimestamps
Everyfirewallthatenforcesuserbasedpolicyrequiresusermappinginformation.Inalargescalenetwork,
insteadofconfiguringallyourfirewallstodirectlyquerythemappinginformationsources,youcan
streamlineresourceusagebyconfiguringsomefirewallstocollectmappinginformationthrough
redistribution.Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyon
localsourcesforauthentication(suchasregionaldirectoryservices)butneedaccesstoremoteservicesand
applications(suchasglobaldatacenterapplications).
YoucanredistributeusermappinginformationcollectedthroughanymethodexceptTerminalServices(TS)
agents.YoucannotredistributeGroupMappingorHIPmatchinformation.
IfyouusePanoramaandDedicatedLogCollectorstomanagefirewallsandaggregatefirewalllogs,youcanuse
PanoramatomanageUserIDredistribution.LeveragingPanoramaandyourdistributedlogcollection
infrastructureisasimplersolutionthancreatingextraconnectionsbetweenfirewallstoredistributeUserID
information.
IfyouConfigureAuthenticationPolicy,yourfirewallsmustalsoredistributetheAuthenticationTimestamps
thataregeneratedwhenusersauthenticatetoaccessapplicationsandservices.Firewallsusethe
timestampstoevaluatethetimeoutsforAuthenticationpolicyrules.Thetimeoutsallowauserwho
successfullyauthenticatestolaterrequestservicesandapplicationswithoutauthenticatingagainwithinthe
timeoutperiods.Redistributingtimestampsenablesyoutoenforceconsistenttimeoutsacrossallthe
firewallsinyournetwork.
Firewallsshareusermappingsandauthenticationtimestampsaspartofthesameredistributionflow;you
donthavetoconfigureredistributionforeachinformationtypeseparately.
FirewallDeploymentforUserIDRedistribution
ConfigureUserIDRedistribution

FirewallDeploymentforUserIDRedistribution
ToaggregateUserIDinformation,organizetheredistributionsequenceinlayers,whereeachlayerhasone
ormorefirewalls.Inthebottomlayer,PANOSintegratedUserIDagentsrunningonfirewallsand
WindowsbasedUserIDagentsrunningonWindowsserversmapIPaddressestousernames.Eachhigher
layerhasfirewallsthatreceivethemappinginformationandauthenticationtimestampsfromupto100
redistributionpointsinthelayerbeneathit.Thetoplayerfirewallsaggregatethemappingsandtimestamps
fromalllayers.Thisdeploymentprovidestheoptiontoconfigurepoliciesforallusersintoplayerfirewalls
andregionorfunctionspecificpoliciesforasubsetofusersinthecorrespondingdomainsservedby
lowerlayerfirewalls.
Figure:UserIDandTimestampRedistributionshowsadeploymentwiththreelayersoffirewallsthat
redistributemappingsandtimestampsfromlocalofficestoregionalofficesandthentoaglobaldatacenter.
Thedatacenterfirewallthataggregatesalltheinformationsharesitwithotherdatacenterfirewallssothat
theycanallenforcepolicyandgeneratereportsforusersacrossyourentirenetwork.Onlythebottomlayer
firewallsuseUserIDagentstoquerythedirectoryservers.
TheinformationsourcesthattheUserIDagentsquerydonotcounttowardsthemaximumoftenhopsin
thesequence.However,WindowsbasedUserIDagentsthatforwardmappinginformationtofirewallsdo
count.Therefore,inthisexample,redistributionfromtheEuropeanregiontoallthedatacenterfirewalls
requiresonlythreehops,whileredistributionfromtheNorthAmericanregionrequiresfourhops.Alsointhis
example,thetoplayerhastwohops:thefirsttoaggregateinformationinonedatacenterfirewallandthe
secondtosharetheinformationwithotherdatacenterfirewalls.
Figure:UserIDandTimestampRedistribution

BeforeyouconfigureUserIDredistribution:
Plantheredistributionarchitecture.Somefactorstoconsiderare:
Whichfirewallswillenforcepoliciesforallusersandwhichfirewallswillenforceregionor
functionspecificpoliciesforasubsetofusers?
HowmanyhopsdoestheredistributionsequencerequiretoaggregateallUserIDinformation?The
maximumallowednumberofhopsisten.
Howcanyouminimizethenumberoffirewallsthatquerytheusermappinginformationsources?
Thefewerthenumberofqueryingfirewalls,thelowertheprocessingloadisonboththefirewalls
andsources.
ConfigureusermappingusingPANOSIntegratedUserIDagentsorWindowsbasedUserIDAgents.
ConfigureAuthenticationPolicy.
PerformthefollowingstepsonthefirewallsintheUserIDredistributionsequence.
Step1 Configurethefirewalltoredistribute 1. SelectDevice > User Identification > User Mapping.

UserIDinformation. 2. (Firewallswithmultiplevirtualsystemsonly)Selectthe
Skipthisstepifthefirewallreceivesbut Location.YoumustconfiguretheUserIDsettingsforeach
doesnotredistributeUserID virtualsystem.
information. Youcanredistributeinformationamongvirtual
systemsondifferentfirewallsoronthesamefirewall.
Inbothcases,eachvirtualsystemcountsasonehopin
theredistributionsequence.
3. EditthePaloAltoNetworksUserIDAgentSetupandselect
Redistribution.
4. EnteraCollector NameandPre-Shared Keytoidentifythis
firewallorvirtualsystemasaUserIDagent.
5. ClickOKtosaveyourchanges.
Step2 Configuretheserviceroutethatthe 1. SelectDevice > Setup > Services.

firewallusestoqueryotherfirewallsfor 2. (Firewallswithmultiplevirtualsystemsonly)SelectGlobal
UserIDinformation. (forafirewallwideserviceroute)orVirtual Systems(fora
Skipthisstepifthefirewallreceivesuser virtualsystemspecificserviceroute),andthenconfigurethe
mappinginformationfrom serviceroute.
WindowsbasedUserIDagentsor
3. ClickService Route Configuration,selectCustomize,and
directlyfromtheinformationsources
selectIPv4orIPv6basedonyournetworkprotocols.
(suchasdirectoryservers)insteadof
Configuretheservicerouteforbothprotocolsifyournetwork
fromotherfirewalls.
usesboth.
4. SelectUID AgentandthenselecttheSource Interfaceand
Source Address.
5. ClickOKtwicetosavetheserviceroute.
Step3 Enablethefirewalltorespondwhen ConfigureanInterfaceManagementprofilewiththeUser-ID

otherfirewallsqueryitforUserID serviceenabledandassigntheprofiletoafirewallinterface.
information.
Skipthisstepifthefirewallreceivesbut
doesnotredistributeUserID
information.

ConfigureUserIDRedistribution(Continued)
Step4 Commitandverifyyourchanges. 1. Commityourchangestoactivatethem.

2. AccesstheCLIofafirewallthatredistributesUserID
information.
3. Displayalltheusermappingsbyrunningthefollowing
command:
> show user ip-user-mapping all
4. RecordtheIPaddressassociatedwithanyusername.
5. AccesstheCLIofafirewallthatreceivesredistributedUserID
information.
6. Displaythemappinginformationandauthentication
timestampforthe<IP-address> yourecorded:
> show user ip-user-mapping ip <address>
User: corpdomain\username1
From: UIA
Idle Timeout: 10229s
Max. TTL: 10229s
MFA Timestamp: first(1) - 2016/12/09 08:35:04
Group(s): corpdomain\groupname(621)
NOTE:Thisexampleoutputshowstheauthentication
timestampforoneresponsetoanauthenticationchallenge
(factor).ForAuthenticationpolicyrulesthatuseMultiFactor
Authentication(MFA),theoutputshowsmultiple
AuthenticationTimestamps.

PAN 8.0 Admin UID

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

PAN 8.0 Admin UID

Cargado por

Copyright:

Formatos disponibles

User-ID

PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 407

Copyright 2007-2017 Palo Alto Networks

408 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.

Copyright 2007-2017 Palo Alto Networks

PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 409

Copyright 2007-2017 Palo Alto Networks

410 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.

Copyright 2007-2017 Palo Alto Networks

PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 411

Copyright 2007-2017 Palo Alto Networks

412 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.

Copyright 2007-2017 Palo Alto Networks

PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 413

Copyright 2007-2017 Palo Alto Networks

414 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.

Copyright 2007-2017 Palo Alto Networks

Step1 EnableUserIDonthesourcezonesthat 1. SelectNetwork > ZonesandclicktheNameofthezone.

Step2 CreateaDedicatedServiceAccountfor ThisisrequiredifyouplantousetheWindowsbasedUserID

Step3 MapUserstoGroups. ThisenablesthefirewalltoconnecttoyourLDAPdirectoryand

PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 415

Copyright 2007-2017 Palo Alto Networks

Step4 MapIPAddressestoUsers. Thewayyoudothisdependsonwhereyourusersarelocatedand

Step5 Specifythenetworkstoincludeand Configureeachagentthatyouconfiguredforusermappingas

Step6 ConfigureAuthenticationPolicyand 1. ConfigureCaptivePortal.

416 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.

Copyright 2007-2017 Palo Alto Networks

Step7 Enableuserandgroupbasedpolicy AfterconfiguringUserID,youwillbeabletochooseausername

Step8 CreatetheSecuritypolicyrulestosafely FollowtheBestPracticeInternetGatewaySecurityPolicyto

Step9 ConfigurethefirewalltoobtainuserIP 1. SelectDevice > Setup > Content-IDandeditthe

PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 417

Copyright 2007-2017 Palo Alto Networks

Step10 Commityourchanges. Commityourchangestoactivatethem.

Step11 VerifytheUserIDConfiguration. Afteryouconfigureusermappingandgroupmapping,verifythat

418 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.

Copyright 2007-2017 Palo Alto Networks

Step1 AddanLDAPserverprofile. 1. SelectDevice > Server Profiles > LDAPandAddaserver

PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 419

Copyright 2007-2017 Palo Alto Networks

420 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.

Copyright 2007-2017 Palo Alto Networks

Step3 Limitwhichgroupswillbeavailablein 1. Addexistinggroupsfromthedirectoryservice:

PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 421

Copyright 2007-2017 Palo Alto Networks

422 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.

Copyright 2007-2017 Palo Alto Networks

Step1 CreateanADaccountfortheUserID 1. Logintothedomaincontroller.

PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 423

Copyright 2007-2017 Palo Alto Networks

Step2 AddtheaccounttotheBuiltingroups 1. RightclicktheserviceaccountyoujustaddedandAdd to a

424 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.

Copyright 2007-2017 Palo Alto Networks

Step3 IfyouplantouseWMIprobing,enable PerformthistaskoneachclientsystemthattheUserIDagentwill

Step4 Turnoffaccountprivilegesthatarenot ToensurethattheUserIDaccounthastheminimumprivileges

Step5 Nextsteps... Youarenowreadyto:

PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 425

Copyright 2007-2017 Palo Alto Networks

Step1 CreateadedicatedActiveDirectory CreateaDedicatedServiceAccountfortheUserIDAgent.

Step2 DecidewheretoinstalltheUserID YoumustinstalltheUserIDagentonasystemrunningoneof

426 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.

Copyright 2007-2017 Palo Alto Networks

Step3 DownloadtheUserIDagentinstaller. 1. LogintothePaloAltoNetworksCustomerSupportwebsite.

Step4 Runtheinstallerasanadministrator. 1. OpentheWindowsStartmenu,rightclicktheCommand