Procedure

Steps

To configure Agentless User-ID, first create the service account, then modify and verify security settings.

 

Configure the following on the Active Directory (AD) Server and the Palo Alto Networks device:
 

1. Create the service account in AD, which is utilized on the device. Be sure the user is part of the following groups:
   - Distributed COM Users
   - Event Log Readers
   - Server Operators
   Note:  Domain Admin privileges are not required for the User-ID service account to function properly, see  Best Practices for Securing User-ID Deployments  for more information.
   
   In Windows 2003, the service account must be given the Audit and manage security log user right through a group policy. Making the account a member of the Domain Administrators group provides rights for all operations. The built-in group named Event Log Readers is not available in Windows 2003.
   
    
2. The device uses  WMI Authentication  and the user must modify the CIMV2 security properties on the AD server that connects to the device.
    
3. Run ' wmimgmt.msc ' on the command prompt to open the console and select these properties:

 

4. From the Security tab on WMI Control Properties:
   1.) Select the  CIMV2  folder.
   2.) Click  Security,
   3.) Click  Add  and then select the service account from Step 1.
   4.) In this case, it is  userid@pantac.lab . 
   5.) For this account, check both  Allow  for  Enable Account  and  Remote Enable :
   6.) Click  Apply,
   7.) Then click  OK .
   
    
5. Back in the Palo Alto WebGUI , Select  Device > User Identification > User Mapping,  then click the edit sproket in the upper right corner   to complete the Palo Alto Networks User-ID Agent Setup.
6. Be sure to configure with the domain\username format for username under  WMI Authentication  tab along with valid credentials for that user.
    
7. Enable the  Server Monitor  options and enable the security log/enable session accordingly.
   Client probing is enabled by default, so disable if desired.
    
8. If the domain is configured during Setup in the General Settings/Domain field, the user can elect to discover servers with which to connect. If not, manually add a server to the device:
    
9. Confirm connectivity through the WebGUI or the CLI:
10. > show user server-monitor statistics
11.  
12. Directory Servers:
13. Name TYPE Host Vsys Status
14. -----------------------------------------------------------------------------

pantacad2003.pantac.lab AD pantacad2003.pantac.lab vsys1 Connected

15. Confirm that ip -user-mapping is working.
16. > show user ip -user-mapping all
17.  
18. IP              Vsys   From     User                            IdleTimeout (s) MaxTimeout (s)
19. -------------- - - ---- - - ----- - - ------------------------------ - - ------------- ----------
20. 192.168.28.15    vsys 1  AD       pantac \tom                      2576          2541
21. 192.168.29.106   vsys 1  AD       pantac \ userid                   2660          2624
22. 192.168.29.110   vsys 1  AD       pantac \ userid                   2675          2638

Total: 3 users

23. Ensure  Enable User Identification  is enabled on the zones where identifiable traffic will be initiated. Select the zone in Network > Zone.