Procedure: Configure Agentless User-ID

Overview

To configure Agentless User-ID, first create the necessary service account in Active Directory (AD), then modify and verify required security settings on the AD server and the Palo Alto Networks device.

Steps

  1. Create Service Account in Active Directory (AD)

    Create the service account in AD that the Palo Alto Networks device will use. Ensure this user account is a member of the following AD groups:

    • Distributed COM Users
    • Event Log Readers
    • Server Operators

    Note: Domain Admin privileges are not required for the User-ID service account to function properly. Refer to Best Practices for Securing User-ID Deployments for more information.

    In Windows Server 2003 environments, the service account must be explicitly given the “ Audit and manage security log ” user right through a group policy, as the "Event Log Readers" group does not exist. Making the account a member of Domain Admins grants all necessary rights but is generally not recommended for security best practices.

    Screenshot showing Active Directory Users and Computers with service account group memberships.
  2. Configure WMI Security Settings (CIMV2)

    The device uses WMI Authentication . You must modify the CIMV2 security properties on the AD server(s) that the Palo Alto Networks device will connect to for monitoring.

  3. Open WMI Management Console

    Run wmimgmt.msc from the command prompt or Run dialog on the AD server to open the WMI Management console.

    Screenshot of the WMI Management console (wmimgmt.msc).
  4. Modify CIMV2 Security Properties

    From the WMI Control Properties window (right-click "WMI Control (Local)" and select "Properties"):

    1. Navigate to the Security tab.
    2. Expand "Root" and select the CIMV2 folder.
    3. Click the Security button below the namespace list.
    4. Click Add and select the service account created in Step 1 (e.g., pantac\userid ).
    5. With the service account selected, ensure the following permissions have Allow checked:
      • Enable Account
      • Remote Enable
    6. Click Apply .
    7. Click OK on the Security for ROOT\CIMV2 window, and then OK on the WMI Control Properties window.
    Screenshot showing Security properties for ROOT\CIMV2, highlighting Enable Account and Remote Enable permissions.
  5. Configure User Mapping on Palo Alto Networks Device

    Log in to the Palo Alto Networks device WebGUI:

    1. Select Device > User Identification > User Mapping .
    2. Click the gear icon (settings) in the upper right corner of the "Palo Alto Networks User-ID Agent Setup" section.
    Screenshot of Palo Alto Networks User Mapping settings page.
  6. Configure WMI Authentication Details

    Within the User-ID Agent Setup window:

    1. Go to the WMI Authentication tab.
    2. Enter the service account username in DOMAIN\username format (e.g., pantac\userid ).
    3. Enter and confirm the password for the service account.
  7. Configure Server Monitoring

    Within the User-ID Agent Setup window:

    1. Go to the Server Monitor tab.
    2. Ensure Enable is checked.
    3. Select appropriate options for monitoring Security Logs and/or Session information based on your environment's needs.
    4. Client Probing (under the main User Mapping tab) is often enabled by default. Disable it if it's not required or desired in your environment.
  8. Specify Monitored Servers

    Still within the Server Monitor tab:

    1. If the domain was configured during device setup (General Settings), you might use server auto-discovery.
    2. Otherwise, manually Add each AD server (Domain Controller) you want the firewall to monitor under the "Directory Servers" section. Enter its Name/IP address.
    Screenshot showing the Server Monitor tab with Directory Servers list.
  9. Verify Server Monitor Connectivity

    Confirm the firewall can successfully connect to the configured AD servers using the specified service account and WMI.

    1. You can check the status in the WebGUI under Device > User Identification > Server Monitoring tab. Look for a "Connected" status.
    2. Alternatively, use the CLI command: 
    > show user server-monitor statistics

Directory Servers:
Name                         TYPE      Host                         Vsys      Status
-----------------------------------------------------------------------------
pantacad2003.pantac.lab      AD        pantacad2003.pantac.lab      vsys1     Connected
    Screenshot showing Server Monitoring status in the WebGUI.
  10. Verify IP-User Mapping

    Confirm that the firewall is learning IP-to-user mappings from the monitored servers via the security event logs.

    Use the CLI command: 

    > show user ip-user-mapping all

IP              Vsys    From    User                            IdleTimeout(s) MaxTimeout(s)
--------------- ------- ------- ------------------------------- -------------- -------------
192.168.28.15   vsys1   AD      pantac\tom                      2576           2541
192.168.29.106  vsys1   AD      pantac\userid                   2660           2624
192.168.29.110  vsys1   AD      pantac\userid                   2675           2638
Total: 3 users
  11. Enable User Identification on Zones

    Ensure that User Identification is enabled on the network zones where the user traffic (whose identity you need to map) will originate.

    1. Navigate to Network > Zones .
    2. Select a zone (e.g., your internal user network zone).
    3. Check the box for Enable User Identification .
    4. Repeat for all necessary zones.
    Screenshot showing the Zone configuration with 'Enable User Identification' checkbox.