SlideShare ist ein Scribd-Unternehmen logo
1 von 25
Downloaden Sie, um offline zu lesen
The “almost” complete guide of User-ID
installation and configuration
Alberto Rivai
Contents
1.

IP – User Mapping ........................................................................................................................... 3
a.

IP - User Mapping ( with UID Agent ) .......................................................................................... 3
Create service account, configure account permission and install UID agent ............................... 3
Configure User-ID agent in the firewall .......................................................................................... 7

b.

IP – User Mapping ( Agentless ) .................................................................................................. 8
Create service account and configure account permission ............................................................ 8
Configure UID in the firewall......................................................................................................... 10

2.

User enumeration ......................................................................................................................... 13

3. IP – User Mapping through User-ID API............................................................................................ 15
3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration ................................................ 15
Lab Diagram .................................................................................................................................. 16
Installation .................................................................................................................................... 16
UIDConfig.xml variables description ............................................................................................. 24
3.2

User-ID agentless API, Microsoft NPS, Microsoft DHCP integration .................................... 24
User Identification in PAN-OS 4.1 encompasses two primary functions:
•
•

Mapping of those users to their current IP addresses
Enumeration of users and their associated group membership.

1. IP – User Mapping
a. IP - User Mapping ( with UID Agent )
The first section is to map users to their current IP addresses. This section uses UID agent to perform
the function.
Create service account, configure account permission and install UID agent
1. create service account ( example Labuid ) in the DC
2. Login to any computer that is a member of the domain, you do not need to install the UID
agent in the AD server or Domain controller.
3. Login with an account that have local administrator permission
4. add Labuid to be a member of local Administrator group
5. download UID agent
6. run command prompt as administrator

7. install from command prompt

8. By default, the agent will be configured to log in as the user who installed the .msi file. In the
screen shot that follows, you will see that the “Labuid” account that installed the agent is
now the agent service account. Use the “Edit” button on the configuration window to
change the service account to a restricted user account if desired.

9. Allow the Agent account to log on the member server as a service. On the member server
open the “Local Security Policy” mmc.
10. Under the “Local Policies” > “User Rights Assignments” add the service account to the “Log
in as a Service” option

11. For Win2K8, Add the service account user to the “Event Log Reader” and “Server Operator”
built in local security groups in the domain.
12. For Win2K3, the user right “Manage auditing and security log” must be given to that
account. Edit the Default Domain Controller Security Policy, found under Programs -> Admin
Tools. Drill down to Security Settings -> Local Policies -> User Rights Assignment. You will see
the screen below.
In the right-hand pane, locate the user right “Manage auditing and security log”. Double click that
entry. You will see that only Administrators have that user right.

Click Add User or Group.
Enter the username of the account you just created, and click on Check Names to confirm that
account exists. The account name will become underlined.
13. Make sure that the service is running in Services window.

14. To check if you have configured the UID agent correctly, go to Start -> Palo Alto Networks ->
User-ID Agent and open the UID agent GUI, go to Discovery Tab, you will see the Domain
Controller listed.

15. To check if the UID agent successfully reads the event viewer and discovers the username go
to Monitoring tab.
16. Next step is adding the UID agent in the firewall.
Configure User-ID agent in the firewall
17. Login to the firewall
18. Go to Device tab
19. Then User Identification node, click User-ID Agents sub-tab

20. Click Add, and then enter the name, IP address and port (default 5007). Click OK then hit
commit.

21. You will see the green button when the UID agent successfully connected to the firewall.
22. To verify that the firewall receive the User-IP mapping, ssh to the firewall and execute the
below command
admin@PA-200> show user ip-user-mapping all

b. IP – User Mapping ( Agentless )
The IP – User Mapping function that was performed by the User-ID agent, can be replaced by an
agentless User-ID. Agentless User-ID allow server to be run from the PAN device.
The login which works on the User-ID agent - most likely will not work on the Agentless. (Additional
permission are needed)
Create service account and configure account permission
1.

Create the service account in AD. This is utilized on the device. Be sure the user is part of the
Distributed COM Users, Server Operators and Event Log Readers groups.
2.
3.

4.

Device uses WMI Authentication. you must modify the CIMV2 security properties on the AD server the
device connects to.
Run wmimgmt.msc (on the domain controller server) on the command prompt to open the console and
select properties as shown below.

Select the Security tab of the WMI Control Properties and drill down to the CIMV2 folder. Select this
folder and click the Security button. Add the service account from step 1. In this case, it's
panrunner@nike.local. For this account, check off both Enable Account and Remote Enable.
5.

After you’ve completed the permission setting for UID account , you need to setup the UID
configuration in the firewall.

Configure UID in the firewall
6. Login to the firewall GUI
7. Go to Device tab -> User Identification select User Mapping sub-tab

8.

Under Server Monitoring, click Add and add IP address of the server to be monitored.
9.

Click Edit on the Palo Alto Networks User ID Agent Setup

10. Be sure to configure with domainusername format for username under WMI Authentication tab along
with valid credentials for that user.

11.
12.
13.
14.

Enable Server Monitor options (enable security log/enable session) accordingly.
Client probing is enabled by default so disable if desired.
Click Commit
Confirm connectivity via GUI and/or CLI as shown below.
15. Confirm ip-user-mapping is working as shown below.
2. User enumeration
The second section is to configure Enumeration of users and their associated group membership.
Before a security policy can be written for groups of users, the relationships between the users and
the groups they are members of must be established. This information is retrieved from an LDAP
directory, such as Active Directory or eDirectory. The firewall or an agent will access the directory
and search for group objects. Each group object will contain a list of user objects that are members.
This list will be evaluated and will become the list of users and groups available in security policy and
authentication profiles. The only method of retrieving this data if through LDAP queries from the
firewall. An agent system can be configured to proxy the firewall LDAP queries if the topology
requires that.
1. Login to the firewall through GUI
2. Go to Device tab then Server Profile -> LDAP then click Add

3. List the directory servers that you want the firewall to use in the server list. You need to
provide at least one server; two or more are recommended for failover purposes. The
standard LDAP port for this configuration is 389.
4. Enter the name of the domain in the “Domain” field. The domain name should be a
Netbios name
5. Select a directory “Type”. Based on the selected directory type, the firewall can populate
default values for attributes and objectclasses used for user and group objects in the
directory server.
6. Enter the base of the LDAP directory in the “Base” field. For example, if your Active
Directory Domain is “acme.local”, your base would be “dc=acme,dc=local”, unless you
want to leverage an Active Directory Global Catalog.
7. Enter a user name for a user with sufficient permission to read the LDAP tree. In an
Active Directory environment, a valid username for this entry could be the “User
Principal Name”, e.g. “administrator@acme.local” but also the users distinguished name,
e.g. “cn=Administrator,cn=Users,dc=acme,dc=local”.
8. Enter and confirm the authentication password for the user account that you entered
above.

9. In case you have difficulties identifying your directory base DN, you can simply follow
these steps:
a. Open the Active Directory Users and Groups management console on your
domain controller.
b. Select “Advanced features” in the “View” menu of the management console.
c. Select the top of your domain object and select “Properties”.
d. Navigate to the “Attribute Editor” in the properties window and scroll to the
“distinguishedName” attribute.
e. Copy the content of this attribute into the LDAP Server configuration “Base”
field in the firewall management UI.

Group Mapping Settings
After the LDAP server has been configured, you need to configure how groups and users are
retrieved from the directory and which users groups are to be included in policies.
In order to create a new group mapping entry, navigate to the “Device > User Identification”
menu and create a new entry under the “Group Mapping Settings” tab.
In this configuration, you specify which LDAP server profile is going to be used to identify users
and groups.
• Select the “LDAP Server Profile” you configured earlier in the “LDAP Server Profile” section
in the drop-down list under “Server Profile”.
All LDAP Attributes and ObjectClasses will be pre-populated based on the directory server type
you selected in the “LDAP Server Profile”. Under normal circumstances, you should not have to
modify any of these attributes. Please refer to the Palo Alto Networks Administrator’s Guide for
customizations of these attributes.

The default update interval for changes in user groups is 3600 seconds (1 hour). You can
customize this value to a shorter period if needed.
Go to Group include list tab, leave this blank if you want to include ALL groups, or select the groups
that you want to be mapped.

3. IP – User Mapping through User-ID API
3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration
Pre-requisite
-

Microsoft 2008 Server 64 Bit
Microsoft NPS
Microsoft DHCP server
Palo Alto Networks UID Agent

-

Scripts from https://github.com/cesanetwan/scripts/tree/master/paloalto

-

At least 1 Windows server running IAS/NPS

-

The server running the Palo-Alto User-ID Agent must have IP connectivity

-

The Palo-Alto User-ID Agent must have the User-ID XML API enabled

-

As a convention, the script should be stored in a DFS share for replication purposes ie
%domainname%scripts

-

The script needs to be configured to trigger on a Windows Event 6272

-

The User-ID timeout set in the Palo-Alto User ID Agent must be less than the session
timeout on the wireless controller
-

Task must be configured to run under the designated sync account for the content filter at
sites

-

Said account must be granted log on as service, log on as batch job rights, in addition to
full permissions to read, write and modify to the installation directory of the Palo-Alto User
ID Agent, and additionally be a member of the "DHCP Users" builtin group in Active
Directory

-

The ignore_user_list and UIDConfig.xml must be present in the installation directory of
the Palo-Alto User ID Agent, and customised to the sites configuration as per the
samples in this repository

-

The scheduled task should be configured to queue new instances should the task be
running when a new instance is called, and modified to fit the template provided in this
repository

This integration script was provided and developed by the guys from Catholic Education SA, mainly
Gareth Hill. Their link can be found https://github.com/cesanetwan/scripts/wiki/CEFilter-UIDRADIUS-script
The CESA UID RADIUS script is a means of enumerating 802.1x authorised users to the PaloAlto Networks User-ID Agent such that the appropriate filtering policies are applied automatically,
allowing for a seamless user-experience with Palo Alto Networks NGFW and User-ID.

Lab Diagram

Installation
The below steps are to be used for the above sample diagram. Please change the variables according
to the instruction at https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script
1. Copy the below file UIDRADIUSScript.vbs to C:WindowsSYSVOLdomainscripts ( note
that this can be changed to any location )
UIDRADIUSScript.vb
s

2. Copy the below file UIDConfig.xml to C:Program Files (x86)Palo Alto NetworksUser-ID
Agent

UIDConfig.xml

3. Create a scheduled task to trigger on Windows Event 6272
User id installation and configuration
Click on Properties
Check Run with Highest Privileges
User id installation and configuration
Change to Queue a new instance
Right click on the event and click export task to XML

Edit the tasks XML to reflect the example XML file below

User-id.xml

Importantly, the Triggers and the Exec sections
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select
Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and
EventID=6272]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
<ValueQueries>
<Value name="SubjectUserName">Event/EventData/Data[@Name='SubjectUserName']</Value>
<Value
name="CallingStationID">Event/EventData/Data[@Name='CallingStationID']</Value>
</ValueQueries>
</EventTrigger>
</Triggers>

Exec Section
<Exec>
<Command>C:WindowsSystem32cscript.exe</Command>
<Arguments>C:WindowsSYSVOLdomainscriptsUIDRADIUSScript.vbs "$(SubjectUserName)"
$(CallingStationID)</Arguments>
</Exec>

Then delete the original task and import the modified XML.

Type in your username and password
Enable the task

Test by authenticating user through 802.1x, you should then see 802.1x authenticated user appear
in the User-ID agent monitoring tab.
UIDConfig.xml variables description
<?xml version="1.0" encoding="UTF-8"?>
<user-id-script-config>
<domain>LAB</domain> - the domain of the site in question
<LogFormat>DHCP</LogFormat> - The log format - valid values are NPS, IAS and DHCP, for
the various methods of processing this information, in this example we’re using DHCP
<AgentServer>192.168.6.3</AgentServer> - server the UID agent is installed on
<AgentPort>5008</AgentPort> - port the User-ID XML API is listening on
<Debug>1</Debug> - a debug flag (not implemented yet)
<DHCPServer>main.lab.com</DHCPServer> - the DHCP Server at the site in question, used to
do remote queries if there are 2 NPS servers at a site

</user-id-script-config

3.2

User-ID agentless API, Microsoft NPS, Microsoft DHCP integration (
Work in progress )

Pre-requisite
-

Microsoft 2008 Server 64 Bit
Microsoft NPS
Microsoft DHCP server
Palo Alto Networks PANOS 5.0
Scripts from https://github.com/cesanetwan/scripts/tree/agentle/paloalto
Agentless branch

-

At least 1 Windows server running IAS/NPS

-

The Palo-Alto Networks firewall must run PANO 5.0

-

As a convention, the script should be stored in a DFS share for replication purposes ie
%domainname%scripts

-

The script needs to be configured to trigger on a Windows Event 6272
Revision History
Date
12 April 2013

Revision
1.0

Comment
Draft

References
https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script
https://live.paloaltonetworks.com/docs/DOC-3664
https://live.paloaltonetworks.com/docs/DOC-3120
https://live.paloaltonetworks.com/docs/DOC-1807

Weitere ähnliche Inhalte

Was ist angesagt?

15 intro to ssl certificate &amp; pki concept
15 intro to ssl certificate &amp; pki concept15 intro to ssl certificate &amp; pki concept
15 intro to ssl certificate &amp; pki conceptMostafa El Lathy
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authenticationAlberto Rivai
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationLaurentiu Meirosu
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall conceptsMostafa El Lathy
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overviewBelsoft
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyAlberto Rivai
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hackingPhilip Young
 

Was ist angesagt? (20)

15 intro to ssl certificate &amp; pki concept
15 intro to ssl certificate &amp; pki concept15 intro to ssl certificate &amp; pki concept
15 intro to ssl certificate &amp; pki concept
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authentication
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MAB
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall concepts
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
 
SSL
SSLSSL
SSL
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
SSL
SSLSSL
SSL
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
 
ArubaOS 6.3.x Quick Start Guide
ArubaOS 6.3.x Quick Start GuideArubaOS 6.3.x Quick Start Guide
ArubaOS 6.3.x Quick Start Guide
 
What is firewall
What is firewallWhat is firewall
What is firewall
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hacking
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking
 
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast FailoverEMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
 

Andere mochten auch

Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)BAKOTECH
 
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...SWITCHPOINT NV/SA
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configurationAlberto Rivai
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideAlberto Rivai
 
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...Palo Alto Networks
 
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZPalo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZPalo Alto Networks
 
Amazon virtual private cloud (vpc)
Amazon virtual private cloud (vpc)Amazon virtual private cloud (vpc)
Amazon virtual private cloud (vpc)Ki Sung Bae
 
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBECross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBEThe Reference
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2samis
 
Modern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto NetworksModern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto Networksdtimal
 
Vsphere 4-partner-training180
Vsphere 4-partner-training180Vsphere 4-partner-training180
Vsphere 4-partner-training180Suresh Kumar
 
Vfm website-projects
Vfm website-projectsVfm website-projects
Vfm website-projectsvfmindia
 
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...
Webinar NETGEAR -  ProsSafe Switch gestibili e supporto della configurazione ...Webinar NETGEAR -  ProsSafe Switch gestibili e supporto della configurazione ...
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...Netgear Italia
 

Andere mochten auch (20)

Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
 
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configuration
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
 
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
 
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZPalo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
 
Amazon virtual private cloud (vpc)
Amazon virtual private cloud (vpc)Amazon virtual private cloud (vpc)
Amazon virtual private cloud (vpc)
 
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBECross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
 
PAN Platform Summary
PAN Platform SummaryPAN Platform Summary
PAN Platform Summary
 
Modern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto NetworksModern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto Networks
 
FlexPod_for_HondaTH
FlexPod_for_HondaTHFlexPod_for_HondaTH
FlexPod_for_HondaTH
 
NATE-Central-Log
NATE-Central-LogNATE-Central-Log
NATE-Central-Log
 
Vsphere 4-partner-training180
Vsphere 4-partner-training180Vsphere 4-partner-training180
Vsphere 4-partner-training180
 
Vfm website-projects
Vfm website-projectsVfm website-projects
Vfm website-projects
 
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...
Webinar NETGEAR -  ProsSafe Switch gestibili e supporto della configurazione ...Webinar NETGEAR -  ProsSafe Switch gestibili e supporto della configurazione ...
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...
 

Ähnlich wie User id installation and configuration

Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...Sunil kumar Mohanty
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directoryprotect724rkeer
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...HakTrak Cybersecurity Squad
 
Ddns management system user's manual v1.0 20120301
Ddns management system user's manual v1.0 20120301Ddns management system user's manual v1.0 20120301
Ddns management system user's manual v1.0 20120301Eason Lai
 
Merged document
Merged documentMerged document
Merged documentsreeja_16
 
Standard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet DeploymentStandard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet DeploymentHitachi ID Systems, Inc.
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...Protect724tk
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
Obiee 11g security creating users groups and catalog permissions
Obiee 11g security  creating users groups and catalog permissionsObiee 11g security  creating users groups and catalog permissions
Obiee 11g security creating users groups and catalog permissionsRavi Kumar Lanke
 
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)Sundae Solutions Co., Ltd.
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
The Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud ComputingThe Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud ComputingHitachi ID Systems, Inc.
 

Ähnlich wie User id installation and configuration (20)

Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...
 
Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 Installation
 
Java EE Services
Java EE ServicesJava EE Services
Java EE Services
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directory
 
Buzzient oracle crmod_integration
Buzzient oracle crmod_integrationBuzzient oracle crmod_integration
Buzzient oracle crmod_integration
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
 
Ddns management system user's manual v1.0 20120301
Ddns management system user's manual v1.0 20120301Ddns management system user's manual v1.0 20120301
Ddns management system user's manual v1.0 20120301
 
Merged document
Merged documentMerged document
Merged document
 
Standard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet DeploymentStandard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet Deployment
 
Sap basis and_security_administration
Sap basis and_security_administrationSap basis and_security_administration
Sap basis and_security_administration
 
Setting up an odi agent
Setting up an odi agentSetting up an odi agent
Setting up an odi agent
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
 
PPT_CC.pptx
PPT_CC.pptxPPT_CC.pptx
PPT_CC.pptx
 
Amigopod+cp+customisation v1.0
Amigopod+cp+customisation v1.0Amigopod+cp+customisation v1.0
Amigopod+cp+customisation v1.0
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
Obiee 11g security creating users groups and catalog permissions
Obiee 11g security  creating users groups and catalog permissionsObiee 11g security  creating users groups and catalog permissions
Obiee 11g security creating users groups and catalog permissions
 
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
 
Visual connect
Visual connectVisual connect
Visual connect
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
The Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud ComputingThe Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud Computing
 

Kürzlich hochgeladen

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 

Kürzlich hochgeladen (20)

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 

User id installation and configuration

  • 1. The “almost” complete guide of User-ID installation and configuration Alberto Rivai
  • 2. Contents 1. IP – User Mapping ........................................................................................................................... 3 a. IP - User Mapping ( with UID Agent ) .......................................................................................... 3 Create service account, configure account permission and install UID agent ............................... 3 Configure User-ID agent in the firewall .......................................................................................... 7 b. IP – User Mapping ( Agentless ) .................................................................................................. 8 Create service account and configure account permission ............................................................ 8 Configure UID in the firewall......................................................................................................... 10 2. User enumeration ......................................................................................................................... 13 3. IP – User Mapping through User-ID API............................................................................................ 15 3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration ................................................ 15 Lab Diagram .................................................................................................................................. 16 Installation .................................................................................................................................... 16 UIDConfig.xml variables description ............................................................................................. 24 3.2 User-ID agentless API, Microsoft NPS, Microsoft DHCP integration .................................... 24
  • 3. User Identification in PAN-OS 4.1 encompasses two primary functions: • • Mapping of those users to their current IP addresses Enumeration of users and their associated group membership. 1. IP – User Mapping a. IP - User Mapping ( with UID Agent ) The first section is to map users to their current IP addresses. This section uses UID agent to perform the function. Create service account, configure account permission and install UID agent 1. create service account ( example Labuid ) in the DC 2. Login to any computer that is a member of the domain, you do not need to install the UID agent in the AD server or Domain controller. 3. Login with an account that have local administrator permission 4. add Labuid to be a member of local Administrator group 5. download UID agent 6. run command prompt as administrator 7. install from command prompt 8. By default, the agent will be configured to log in as the user who installed the .msi file. In the screen shot that follows, you will see that the “Labuid” account that installed the agent is
  • 4. now the agent service account. Use the “Edit” button on the configuration window to change the service account to a restricted user account if desired. 9. Allow the Agent account to log on the member server as a service. On the member server open the “Local Security Policy” mmc. 10. Under the “Local Policies” > “User Rights Assignments” add the service account to the “Log in as a Service” option 11. For Win2K8, Add the service account user to the “Event Log Reader” and “Server Operator” built in local security groups in the domain. 12. For Win2K3, the user right “Manage auditing and security log” must be given to that account. Edit the Default Domain Controller Security Policy, found under Programs -> Admin Tools. Drill down to Security Settings -> Local Policies -> User Rights Assignment. You will see the screen below.
  • 5. In the right-hand pane, locate the user right “Manage auditing and security log”. Double click that entry. You will see that only Administrators have that user right. Click Add User or Group. Enter the username of the account you just created, and click on Check Names to confirm that account exists. The account name will become underlined.
  • 6. 13. Make sure that the service is running in Services window. 14. To check if you have configured the UID agent correctly, go to Start -> Palo Alto Networks -> User-ID Agent and open the UID agent GUI, go to Discovery Tab, you will see the Domain Controller listed. 15. To check if the UID agent successfully reads the event viewer and discovers the username go to Monitoring tab.
  • 7. 16. Next step is adding the UID agent in the firewall. Configure User-ID agent in the firewall 17. Login to the firewall 18. Go to Device tab 19. Then User Identification node, click User-ID Agents sub-tab 20. Click Add, and then enter the name, IP address and port (default 5007). Click OK then hit commit. 21. You will see the green button when the UID agent successfully connected to the firewall.
  • 8. 22. To verify that the firewall receive the User-IP mapping, ssh to the firewall and execute the below command admin@PA-200> show user ip-user-mapping all b. IP – User Mapping ( Agentless ) The IP – User Mapping function that was performed by the User-ID agent, can be replaced by an agentless User-ID. Agentless User-ID allow server to be run from the PAN device. The login which works on the User-ID agent - most likely will not work on the Agentless. (Additional permission are needed) Create service account and configure account permission 1. Create the service account in AD. This is utilized on the device. Be sure the user is part of the Distributed COM Users, Server Operators and Event Log Readers groups.
  • 9. 2. 3. 4. Device uses WMI Authentication. you must modify the CIMV2 security properties on the AD server the device connects to. Run wmimgmt.msc (on the domain controller server) on the command prompt to open the console and select properties as shown below. Select the Security tab of the WMI Control Properties and drill down to the CIMV2 folder. Select this folder and click the Security button. Add the service account from step 1. In this case, it's panrunner@nike.local. For this account, check off both Enable Account and Remote Enable.
  • 10. 5. After you’ve completed the permission setting for UID account , you need to setup the UID configuration in the firewall. Configure UID in the firewall 6. Login to the firewall GUI 7. Go to Device tab -> User Identification select User Mapping sub-tab 8. Under Server Monitoring, click Add and add IP address of the server to be monitored.
  • 11. 9. Click Edit on the Palo Alto Networks User ID Agent Setup 10. Be sure to configure with domainusername format for username under WMI Authentication tab along with valid credentials for that user. 11. 12. 13. 14. Enable Server Monitor options (enable security log/enable session) accordingly. Client probing is enabled by default so disable if desired. Click Commit Confirm connectivity via GUI and/or CLI as shown below.
  • 12. 15. Confirm ip-user-mapping is working as shown below.
  • 13. 2. User enumeration The second section is to configure Enumeration of users and their associated group membership. Before a security policy can be written for groups of users, the relationships between the users and the groups they are members of must be established. This information is retrieved from an LDAP directory, such as Active Directory or eDirectory. The firewall or an agent will access the directory and search for group objects. Each group object will contain a list of user objects that are members. This list will be evaluated and will become the list of users and groups available in security policy and authentication profiles. The only method of retrieving this data if through LDAP queries from the firewall. An agent system can be configured to proxy the firewall LDAP queries if the topology requires that. 1. Login to the firewall through GUI 2. Go to Device tab then Server Profile -> LDAP then click Add 3. List the directory servers that you want the firewall to use in the server list. You need to provide at least one server; two or more are recommended for failover purposes. The standard LDAP port for this configuration is 389. 4. Enter the name of the domain in the “Domain” field. The domain name should be a Netbios name 5. Select a directory “Type”. Based on the selected directory type, the firewall can populate default values for attributes and objectclasses used for user and group objects in the directory server. 6. Enter the base of the LDAP directory in the “Base” field. For example, if your Active Directory Domain is “acme.local”, your base would be “dc=acme,dc=local”, unless you want to leverage an Active Directory Global Catalog. 7. Enter a user name for a user with sufficient permission to read the LDAP tree. In an Active Directory environment, a valid username for this entry could be the “User Principal Name”, e.g. “administrator@acme.local” but also the users distinguished name, e.g. “cn=Administrator,cn=Users,dc=acme,dc=local”. 8. Enter and confirm the authentication password for the user account that you entered above. 9. In case you have difficulties identifying your directory base DN, you can simply follow these steps:
  • 14. a. Open the Active Directory Users and Groups management console on your domain controller. b. Select “Advanced features” in the “View” menu of the management console. c. Select the top of your domain object and select “Properties”. d. Navigate to the “Attribute Editor” in the properties window and scroll to the “distinguishedName” attribute. e. Copy the content of this attribute into the LDAP Server configuration “Base” field in the firewall management UI. Group Mapping Settings After the LDAP server has been configured, you need to configure how groups and users are retrieved from the directory and which users groups are to be included in policies. In order to create a new group mapping entry, navigate to the “Device > User Identification” menu and create a new entry under the “Group Mapping Settings” tab. In this configuration, you specify which LDAP server profile is going to be used to identify users and groups. • Select the “LDAP Server Profile” you configured earlier in the “LDAP Server Profile” section in the drop-down list under “Server Profile”. All LDAP Attributes and ObjectClasses will be pre-populated based on the directory server type you selected in the “LDAP Server Profile”. Under normal circumstances, you should not have to modify any of these attributes. Please refer to the Palo Alto Networks Administrator’s Guide for customizations of these attributes. The default update interval for changes in user groups is 3600 seconds (1 hour). You can customize this value to a shorter period if needed.
  • 15. Go to Group include list tab, leave this blank if you want to include ALL groups, or select the groups that you want to be mapped. 3. IP – User Mapping through User-ID API 3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration Pre-requisite - Microsoft 2008 Server 64 Bit Microsoft NPS Microsoft DHCP server Palo Alto Networks UID Agent - Scripts from https://github.com/cesanetwan/scripts/tree/master/paloalto - At least 1 Windows server running IAS/NPS - The server running the Palo-Alto User-ID Agent must have IP connectivity - The Palo-Alto User-ID Agent must have the User-ID XML API enabled - As a convention, the script should be stored in a DFS share for replication purposes ie %domainname%scripts - The script needs to be configured to trigger on a Windows Event 6272 - The User-ID timeout set in the Palo-Alto User ID Agent must be less than the session timeout on the wireless controller
  • 16. - Task must be configured to run under the designated sync account for the content filter at sites - Said account must be granted log on as service, log on as batch job rights, in addition to full permissions to read, write and modify to the installation directory of the Palo-Alto User ID Agent, and additionally be a member of the "DHCP Users" builtin group in Active Directory - The ignore_user_list and UIDConfig.xml must be present in the installation directory of the Palo-Alto User ID Agent, and customised to the sites configuration as per the samples in this repository - The scheduled task should be configured to queue new instances should the task be running when a new instance is called, and modified to fit the template provided in this repository This integration script was provided and developed by the guys from Catholic Education SA, mainly Gareth Hill. Their link can be found https://github.com/cesanetwan/scripts/wiki/CEFilter-UIDRADIUS-script The CESA UID RADIUS script is a means of enumerating 802.1x authorised users to the PaloAlto Networks User-ID Agent such that the appropriate filtering policies are applied automatically, allowing for a seamless user-experience with Palo Alto Networks NGFW and User-ID. Lab Diagram Installation The below steps are to be used for the above sample diagram. Please change the variables according to the instruction at https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script 1. Copy the below file UIDRADIUSScript.vbs to C:WindowsSYSVOLdomainscripts ( note that this can be changed to any location )
  • 17. UIDRADIUSScript.vb s 2. Copy the below file UIDConfig.xml to C:Program Files (x86)Palo Alto NetworksUser-ID Agent UIDConfig.xml 3. Create a scheduled task to trigger on Windows Event 6272
  • 19. Click on Properties Check Run with Highest Privileges
  • 21. Change to Queue a new instance
  • 22. Right click on the event and click export task to XML Edit the tasks XML to reflect the example XML file below User-id.xml Importantly, the Triggers and the Exec sections <Triggers> <EventTrigger> <Enabled>true</Enabled>
  • 23. <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=6272]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription> <ValueQueries> <Value name="SubjectUserName">Event/EventData/Data[@Name='SubjectUserName']</Value> <Value name="CallingStationID">Event/EventData/Data[@Name='CallingStationID']</Value> </ValueQueries> </EventTrigger> </Triggers> Exec Section <Exec> <Command>C:WindowsSystem32cscript.exe</Command> <Arguments>C:WindowsSYSVOLdomainscriptsUIDRADIUSScript.vbs "$(SubjectUserName)" $(CallingStationID)</Arguments> </Exec> Then delete the original task and import the modified XML. Type in your username and password
  • 24. Enable the task Test by authenticating user through 802.1x, you should then see 802.1x authenticated user appear in the User-ID agent monitoring tab. UIDConfig.xml variables description <?xml version="1.0" encoding="UTF-8"?> <user-id-script-config> <domain>LAB</domain> - the domain of the site in question <LogFormat>DHCP</LogFormat> - The log format - valid values are NPS, IAS and DHCP, for the various methods of processing this information, in this example we’re using DHCP <AgentServer>192.168.6.3</AgentServer> - server the UID agent is installed on <AgentPort>5008</AgentPort> - port the User-ID XML API is listening on <Debug>1</Debug> - a debug flag (not implemented yet) <DHCPServer>main.lab.com</DHCPServer> - the DHCP Server at the site in question, used to do remote queries if there are 2 NPS servers at a site </user-id-script-config 3.2 User-ID agentless API, Microsoft NPS, Microsoft DHCP integration ( Work in progress ) Pre-requisite - Microsoft 2008 Server 64 Bit Microsoft NPS Microsoft DHCP server Palo Alto Networks PANOS 5.0 Scripts from https://github.com/cesanetwan/scripts/tree/agentle/paloalto Agentless branch - At least 1 Windows server running IAS/NPS - The Palo-Alto Networks firewall must run PANO 5.0 - As a convention, the script should be stored in a DFS share for replication purposes ie %domainname%scripts - The script needs to be configured to trigger on a Windows Event 6272
  • 25. Revision History Date 12 April 2013 Revision 1.0 Comment Draft References https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script https://live.paloaltonetworks.com/docs/DOC-3664 https://live.paloaltonetworks.com/docs/DOC-3120 https://live.paloaltonetworks.com/docs/DOC-1807