Purpose:
User-ID enables the firewall to associate IP addresses with usernames, allowing for user-based visibility, policy control, and reporting.
Visibility:
Provides detailed insights into application usage by user, enhancing the understanding of network activity and potential threats.
Policy Control:
Allows for the creation of security policies based on user or group identity, ensuring that only authorized users can access specific applications or resources.
Logging and Reporting:
Enables user-based logging and reporting, facilitating more effective forensic analysis and compliance reporting.
User Mapping:
Utilizes various methods to map IP addresses to usernames, including monitoring server logs, parsing syslog messages, and redirecting HTTP requests to an authentication portal.
Group Mapping:
Collects user group information by connecting to LDAP directory servers or using XML API integration, allowing for group-based policy enforcement.
Limitations:
User-ID does not function in environments where source IP addresses are subject to NAT translation before the firewall maps IP addresses to usernames.
User-ID enables the firewall to associate IP addresses with usernames, allowing for user-based policies and visibility. Below are the primary methods for acquiring User-ID mappings.
1. Server Monitoring
The firewall monitors authentication events from servers like Active Directory, Exchange, or eDirectory to map IP addresses to usernames.
graph TD
A[User logs into AD] --> B[Server logs authentication event]
B --> C[Firewall reads event logs]
C --> D[Firewall maps IP to username]
2. Syslog Integration
The firewall listens to syslog messages from devices like wireless controllers or proxy servers that authenticate users.
graph TD
A[User authenticates via device] --> B[Device sends syslog to firewall]
B --> C[Firewall parses syslog]
C --> D[Firewall maps IP to username]
3. Authentication Portal
When other methods fail, the firewall can prompt users to authenticate via a web portal to establish IP-to-username mappings.
graph TD
A[User accesses network] --> B[Firewall prompts for authentication]
B --> C[User provides credentials]
C --> D[Firewall maps IP to username]
4. Terminal Services (TS) Agent
In multi-user environments like Citrix or Terminal Services, the TS Agent maps multiple users sharing a single IP address.
graph TD
A[Multiple users log into terminal server] --> B[TS Agent monitors sessions]
B --> C[TS Agent reports to firewall]
C --> D[Firewall maps IP and port to usernames]
5. GlobalProtect
The GlobalProtect VPN client provides user and IP information to the firewall upon connection.
graph TD
A[User connects via GlobalProtect] --> B[Client sends user/IP info]
B --> C[Firewall maps IP to username]
6. XML API
External systems can send user mapping information to the firewall using the XML API.
graph TD
A[External system detects login] --> B[System sends XML API request]
B --> C[Firewall receives and maps IP to username]
7. Client Probing (WMI)
The firewall probes Windows clients using WMI to determine the logged-in user.
graph TD
A[Firewall sends WMI probe] --> B[Client responds with user info]
B --> C[Firewall maps IP to username]
8. HTTP Header Insertion
The firewall inserts user information into HTTP headers for downstream devices or services.
graph TD
A[User initiates HTTP request] --> B[Firewall adds user info to header]
B --> C[Request forwarded to destination]
User Mapping Overview
Purpose:
User Mapping enables the firewall to associate IP addresses with usernames, facilitating user-based visibility and policy enforcement.
Methods:
The firewall can obtain user-to-IP mappings through various methods:
Server Monitoring:
Monitoring authentication events from servers like Active Directory, Exchange, or eDirectory.
Syslog Parsing:
Parsing syslog messages from devices that authenticate users, such as wireless controllers or proxy servers.
Authentication Portal:
Prompting users to authenticate via a web portal when other methods are insufficient.
GlobalProtect:
Using the GlobalProtect VPN client to obtain user information upon connection.
XML API:
Receiving user mapping information from external systems via API calls.
Client Probing:
Probing clients using WMI or NetBIOS to determine logged-in users (use with caution due to potential privacy concerns).
Terminal Services (TS) Agent:
Mapping multiple users sharing a single IP address in multi-user systems like Citrix or Terminal Services.
HTTP Header Insertion:
Inserting user information into HTTP headers for downstream devices or services.
XFF Headers:
Extracting user information from X-Forwarded-For headers in HTTP requests.
Integration:
User Mapping works in conjunction with Group Mapping to enforce user- and group-based security policies.
Purpose:
Group Mapping allows the firewall to retrieve user group information from directory services (e.g., LDAP) to enforce group-based policies.
LDAP Server Profile:
Configure an LDAP server profile to connect the firewall to the directory server, including server details, authentication credentials, and search parameters.
Group Mapping Configuration:
Define how the firewall retrieves group information, specifying the LDAP server profile, base DN, and optional filters for users and groups.
Custom Groups:
Create custom groups using LDAP filters to group users based on specific attributes, even if such groups don't exist in the directory.
Primary Username:
Specify the attribute (e.g., sAMAccountName, userPrincipalName) that the firewall uses to identify users in policies and logs.
Group Include List:
Limit the groups available for policy enforcement by specifying which groups the firewall should include.
Update Interval:
Set the frequency at which the firewall polls the LDAP directory for updates to group information.
Multiple Domains/Forests:
For environments with multiple domains or forests, create separate group mapping configurations with appropriate LDAP server profiles to ensure comprehensive group information retrieval.