User-ID provides many different methods for mapping IP addresses to usernames.
Before you begin configuring user mapping, consider where your users are logging in from, what services they are accessing, and what applications and data you need to control access to. This will inform which types of agents or integrations would best allow you to identify your users.
Once you have your plan, you can begin configuring user mapping using one or more of the following methods as needed to enable user-based access and visibility to applications and resources:
If you have users with client systems that aren't logged
in to your domain servers—for example, users running Linux clients that
don't log in to the domain—you can
Map IP Addresses to Usernames Using Authentication Portal
.
Using Authentication Portal in conjunction with
Authentication Policy
also ensures that all users
authenticate to access your most sensitive applications and data.
To map users as they log in to your Exchange servers,
domain controllers, eDirectory servers, or Windows clients you must
configure a User-ID agent
:
Configure User Mapping Using the
PAN-OS Integrated User-ID Agent
Configure User Mapping Using the
Windows User-ID Agent
If you have clients running multi-user systems in a
Windows environment, such as Microsoft Terminal Server or Citrix Metaframe
Presentation Server or XenApp,
Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping
. For a multi-user system that doesn't run on Windows,
you can
Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API
.
To obtain user mappings from existing network services
that authenticate users—such as wireless controllers, 802.1x devices,
Apple Open Directory servers, proxy servers, or other Network Access
Control (NAC) mechanisms—
Configure User-ID to Monitor Syslog Senders for User Mapping
.
High-Level Method Selection Flow
graph TD
A[Identify User Type/Environment] --> B{Client OS?}
B -- Windows Domain Client --> C[Use User-ID Agent Windows or Integrated]
B -- Linux/Non-Domain Client --> D{Need Web Auth?}
D -- Yes --> E[Use Authentication Portal]
D -- No --> F[Consider XML API or Syslog]
B -- Multi-User Windows (Citrix/TS) --> G[Use TS Agent]
B -- Multi-User Non-Windows --> H[Use XML API for Terminal Servers]
A --> I{Existing Auth Service?}
I -- Yes (Wireless Controller, NAC, Proxy) --> J[Monitor Syslog Senders]
I -- No --> K[Choose Agent or Auth Portal based on OS]
A --> L{Custom Application?}
L -- Yes --> M[Use XML API for General]
While you can configure either the Windows agent or the PAN-OS integrated User-ID agent on the firewall to listen for authentication syslog messages from the network services, because only the PAN-OS integrated agent supports syslog listening over TLS, it is the preferred configuration.
To include the username and domain in the headers for
outgoing traffic so other devices in your network can identify the user
and enforce user-based policy, you can Insert Username in HTTP Headers.
To
Share User-ID Mappings Across Virtual Systems
, you can
configure a virtual system as a User-ID hub.
For other clients that you can't map using the other
methods, you can
Send User Mappings to User-ID Using the XML API
.
A large-scale network can have hundreds of information
sources that firewalls query for user and group mapping and can have
numerous firewalls that enforce policies based on the mapping information.
You can simplify User-ID administration for such a network by aggregating
the mapping information before the User-ID agents collect it. You can also
reduce the resources that the firewalls and information sources use in the
querying process by
configuring some firewalls to redistribute the mapping information
. For details, see Deploy User-ID in a Large-Scale Network.
Quiz: User-ID Mapping Methods
Question 1
Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user?
Explanation:
Syslog monitoring allows the User-ID agent (Windows or PAN-OS integrated) to parse authentication events from syslog messages sent by network services like proxy servers, wireless controllers, or NAC devices.
Reference:
Palo Alto Networks Documentation (General Syslog Concepts)
Question 2
Which source is generally considered the most reliable for collecting User-ID user mapping when available?
Explanation:
GlobalProtect directly associates a user login with the IP address assigned during the VPN connection establishment, making it a very reliable source for remote user mapping. While server monitoring is essential for on-premise users, GlobalProtect provides direct mapping for VPN users.
Question 3
Which data flow describes redistribution of user mappings?
Explanation:
In large-scale networks, firewalls can be configured to redistribute learned user mappings to other firewalls, reducing the load on User-ID agents and information sources.
Question 4
For users on non-domain-joined Linux clients who need access to sensitive web applications, which User-ID method combined with Authentication Policy is most suitable?
Explanation:
Authentication Portal is designed to capture user identities for clients that don't automatically provide them via domain logins, such as Linux machines. It forces web-based authentication based on Authentication Policy rules.
Question 5
Which User-ID agent type runs directly on the Palo Alto Networks firewall?
Explanation:
The PAN-OS Integrated User-ID Agent is the agent functionality built directly into the firewall's operating system (PAN-OS), eliminating the need for a separate Windows server to host the agent software for basic server monitoring and syslog listening.
Create a Dedicated Service Account for the User-ID Agent
To use the Windows-based User-ID agent or the PAN-OS
integrated User-ID agent to map users as they log in to your Exchange servers,
domain controllers, eDirectory servers, or Windows clients,
create a dedicated service account for the User-ID agent
on a domain controller in each domain
that the agent will monitor.
Service Account Creation & Permission Flow
flowchart TD
A[Log in to Domain Controller] --> B(Open Active Directory Users & Computers)
B --> C{Create New User Account}
C --> D[Define Username/Password]
D --> E{Assign Required Permissions}
E -- Windows Agent --> F[Logon as Service Local/GPO and Event Log Readers and DCOM Users Optional for WMI and CIMV2 Optional for WMI and Folder/Registry Permissions]
E -- PAN-OS Agent --> G[Event Log Readers and Server Operator Optional for Session Mon and DCOM Users Optional for WMI and CIMV2 Optional for WMI]
F --> H{Deny Unnecessary Permissions}
G --> H
H --> I[Deny Interactive Logon and Deny Remote Access]
I --> J(Service Account Ready)
The User-ID agent maps users based on logs for security
events. To ensure that the User-ID agent can successfully map users, verify
that the source for your mappings generates logs for Audit Logon, Audit Kerberos Authentication Service, and Audit Kerberos Service Ticket Operations events. At a
minimum, the source must generate logs for the following events:
Logon Success (4624)
Authentication Ticket Granted (4768)
Service Ticket Granted (4769)
Ticket Granted Renewed (4770)
The required permissions for the service account depend on
the user mapping methods and settings you plan to use. For example, if you are
using the PAN-OS integrated User-ID agent, the service account requires
Server Operator privileges
to monitor user sessions. If you are using the
Windows-based User-ID agent, the service account does not require Server
Operator privileges to monitor user sessions.
To reduce the risk of compromising the User-ID service account, always configure the account with the minimum set of permissions necessary for the agent.
If you are installing the Windows-based User-ID agent on a
supported Windows server, Configure a Service Account for the Windows User-ID Agent.
If you are using the PAN-OS integrated User-ID agent on
the firewall, Configure a Service Account for the PAN-OS Integrated User-ID Agent.
User-ID provides many methods for safely collecting user mapping information. Some legacy features designed for environments that only required user mapping on Windows desktops attached to the local network require privileged service accounts. If the privileged service account is compromised, this would open your network to attack. As a best practice, avoid using legacy features that require privileges that would pose a threat if compromised, such as client probing and session monitoring.
Quiz: User-ID Service Accounts & Permissions
Question 6
What is the primary reason for creating a *dedicated* service account for the User-ID agent?
Explanation:
Using a dedicated account allows administrators to strictly control permissions, granting only what's needed for the User-ID agent's function (like reading event logs). This follows the principle of least privilege and minimizes potential damage if the account credentials are stolen.
Question 7
Which built-in Active Directory group membership is minimally required for a User-ID service account (Windows or PAN-OS agent) if it needs to perform Server Monitoring by reading security event logs?
Explanation:
Both the Windows and PAN-OS Integrated User-ID agents require the service account to be a member of the 'Event Log Readers' group to read security logs from monitored servers like Domain Controllers or Exchange Servers.
Question 8
Which User-ID feature requires assigning the service account to the 'Server Operators' group for the PAN-OS Integrated agent, but is generally NOT recommended due to the high privileges granted?
Explanation:
The HTML explicitly states that Session Monitoring requires Server Operator privileges for the PAN-OS Integrated agent, but warns against it because this group also has privileges like shutting down servers. Server Monitoring (reading logs) only requires 'Event Log Readers'.
Question 9
Why is Client Probing (using WMI) generally discouraged in high-security networks?
Explanation:
The documentation warns that client probing can generate significant network traffic and can be a security risk. It recommends using more trusted sources like server monitoring, Syslog, or the XML API instead.
Question 10
Which permission should typically be DENIED for a User-ID service account to enhance security?
Explanation:
Denying interactive logon privileges (log on locally, log on through Remote Desktop Services, log on as a batch job) prevents the service account from being used for purposes other than its intended function, reducing the attack surface if compromised.
Question 11
Which Windows Security Event Log ID corresponds to a successful user logon, which is crucial for User-ID mapping via server monitoring?
Explanation:
Event ID 4624 (Logon Success) is the primary event monitored by User-ID agents to detect when a user successfully logs onto a monitored system, allowing the agent to map the user to the system's IP address. While Kerberos events (4768, 4769, 4770) are also monitored, 4624 is the direct logon event.
Quiz: Windows User-ID Agent Configuration
Question 12
When configuring the firewall to connect to a Windows User-ID Agent, what is the default listening port used by newer agents and the firewall?
Explanation:
The default port for communication between the firewall and the Windows User-ID Agent (and PAN-OS integrated agent for agent-to-firewall communication) is TCP 5007. Port 2010 was used in older agent versions. 5009 is default for TS Agent, 6514 is for Syslog over SSL.
Question 13
In the Windows User-ID Agent configuration, what is the purpose of the "Include/Exclude Networks" setting?
Explanation:
The Include/Exclude Networks list controls which client source IP address ranges the User-ID agent will actually create mappings for, even if the login event occurred on a monitored server. It's used to scope the mapping process to relevant internal networks.
Question 14
What is a recommended best practice regarding the placement of the Windows User-ID agent relative to the servers it monitors (e.g., Domain Controllers)?
Explanation:
The majority of User-ID traffic occurs between the agent and the monitored servers (log queries). Placing the agent close to these servers minimizes latency and bandwidth consumption over potentially slower WAN links compared to the agent-to-firewall update traffic.
When configuring Server Monitoring on the PAN-OS Integrated User-ID agent using WinRM with Kerberos, what format must be used for the 'Network Address' of the monitored server?
Explanation:
Kerberos authentication relies on FQDNs for service principal name (SPN) lookups. Therefore, when using WinRM with Kerberos for server monitoring, the FQDN of the monitored server must be entered.
Question 16
Which transport protocol option for Server Monitoring with the PAN-OS Integrated agent uses HTTPS and allows for either Basic or Kerberos authentication?
Explanation:
WinRM-HTTPS uses HTTPS for secure communication and supports either Basic authentication (username/password over TLS) or Kerberos authentication (tickets over TLS). WinRM-HTTP uses Kerberos only (over unsecured HTTP), and WMI uses MSRPC.
Question 17
Where do you configure the 'Ignore User List' for the PAN-OS Integrated User-ID Agent?
Explanation:
The Ignore User List for the PAN-OS integrated agent is configured within the main agent setup dialog found under Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup (click the Edit/Gear icon).
Quiz: Syslog Monitoring for User-ID
Question 18
Which connection type is recommended for receiving syslog messages for User-ID mapping due to security and reliability?
Explanation:
The documentation strongly recommends using SSL/TLS (port 6514) for syslog listening because it encrypts the traffic and provides more reliability than UDP (port 514), which is connectionless and sends data in cleartext. The Windows agent supports TCP, but the PAN-OS integrated agent uses SSL/TLS or UDP.
Question 19
When configuring a Syslog Parse Profile on the firewall (PAN-OS Integrated Agent), what must be configured separately for creating mappings and deleting mappings?
Explanation:
Each Syslog Parse profile is designed to identify *either* login events *or* logout events based on the Event Regex/String. To handle both creating and deleting mappings from syslog, you need at least two profiles: one matching login indicators and one matching logout indicators, assigned appropriately in the Server Monitoring configuration.
Question 20
What component must be enabled on a firewall interface to allow it to receive syslog messages for User-ID mapping?
Explanation:
The firewall interface needs an Interface Management profile attached that specifically enables the "User-ID Syslog Listener-SSL" or "User-ID Syslog Listener-UDP" service to accept incoming syslog connections for User-ID purposes.
Question 21
A firewall is configured with the PAN-OS Integrated User-ID agent listening for syslog messages. If a syslog message arrives from an IP address NOT configured as a 'Syslog Sender' under Server Monitoring, what happens?
Explanation:
The documentation states that the firewall (or agent) only processes syslog messages from explicitly configured and trusted Syslog Sender IP addresses. Messages from unknown sources are discarded.
Quiz: Authentication Portal
Question 22
Which Authentication Portal mode requires a Layer 3 interface on the firewall and DNS records for the redirect host?
Explanation:
Redirect mode works by redirecting the user's browser to a Layer 3 interface on the firewall. This requires the interface to have an IP address and a corresponding DNS entry (A record, and PTR for Kerberos) for the specified 'Redirect Host' name. Transparent mode intercepts traffic differently.
Question 23
Which Authentication Portal authentication method attempts to authenticate the user transparently using domain credentials obtained from the browser?
Explanation:
Kerberos Single Sign-On (SSO) is designed to use the existing Kerberos tickets held by the user's browser (if domain-joined and configured correctly) to authenticate them without requiring manual credential entry.
Question 24
What is required on client machines to successfully use Client Certificate Authentication with Authentication Portal?
Explanation:
For Client Certificate Authentication, each client device must possess a unique client certificate. The firewall must be configured with a Certificate Profile that trusts the Certificate Authority (CA) that issued these client certificates.
Question 25
What firewall configuration object defines which traffic requires Authentication Portal authentication?
Explanation:
Authentication Policy rules (found under Policies > Authentication) are specifically used to match traffic based on source/destination zones, addresses, etc., and then trigger an Authentication Enforcement object, which often involves Authentication Portal.
Quiz: Terminal Server (TS) Agent
Question 26
What is the primary mechanism used by the Palo Alto Networks TS Agent to differentiate users connecting from the same terminal server IP?
Explanation:
The TS Agent assigns a unique range (block) of source ports to each user session on the terminal server. The firewall then maps the combination of the server's IP address and this source port range to the specific user.
Question 27
Where must the Palo Alto Networks TS Agent software be installed?
Explanation:
The TS Agent software (including its driver) needs to be installed directly on the Windows server hosting the multi-user sessions (e.g., the Terminal Server or Citrix XenApp server) to monitor sessions and manage port allocation.
Question 28
What is the default listening port the firewall uses to connect to a TS Agent?
Explanation:
By default, both the TS Agent and the firewall configuration for connecting to it use TCP port 5009.
Quiz: XML API for User-ID
Question 29
Which User-ID mapping method is most flexible for integrating with custom applications or unsupported third-party systems that can generate login/logout event data?
Explanation:
The XML API provides a programmatic way for any external system capable of making HTTP requests to push user mapping information (login/logout, IP, username) directly to the firewall or User-ID agent.
Question 30
When using the XML API to map users on a multi-user non-Windows terminal server, what specific XML tag is used within the `
` or `
` message to indicate the start of the allocated port range for a user?
Explanation:
The `
` tag is used in XML API login/logout messages for multi-user systems to specify the starting port number of the block allocated to that user session. The firewall calculates the full range based on this starting port and the configured block size.
Question 31
What is required to authenticate XML API requests sent to the firewall for User-ID updates?
Explanation:
Communication via the XML API is authenticated using an API key. This key is generated on the firewall based on the credentials of an administrator account with API access privileges.