PAN-OS: User-ID Agent vs. Agentless Configuration

What is User-ID?

User-ID is a core feature of Palo Alto Networks firewalls that seamlessly integrates with various directory services and authentication systems to map IP addresses to usernames . This mapping allows administrators to gain visibility into user activity and create security policies based on users and groups rather than just static IP addresses.

Implementing User-ID is fundamental for:

• User-Based Visibility: Seeing usernames instead of just IP addresses in logs (Traffic, Threat, URL, etc.) and reports (ACC).
• User-Based Policy Control: Creating Security, QoS, Decryption, and Authentication policies that apply specifically to certain Active Directory (AD) groups, LDAP groups, or individual users.
• Incident Response: Quickly identifying the user associated with potentially malicious activity originating from a specific IP address.
• Compliance Reporting: Providing user-centric audit trails.

PAN-OS offers two primary architectural approaches for collecting these IP-to-user mappings: using a dedicated Windows-based User-ID Agent or leveraging the Agentless User-ID (PAN-OS Integrated User-ID Agent) feature directly on the firewall.

Both Agent and Agentless methods can leverage various sources to build the IP-to-user mapping table. The primary method for domain environments is monitoring directory server logs, but other methods supplement this:

• Server Monitoring (Primary for Domain Users): Reading security event logs from Domain Controllers (DCs) to detect successful user logon events (Event ID 4624 typically, others depending on OS/config). This is the most common and reliable method for domain-joined Windows clients.
• GlobalProtect: Automatically creates mappings when users authenticate to GlobalProtect Portals/Gateways.
• Captive Portal: Creates mappings when users authenticate via web-based Captive Portal (Active or Passive).
• XML API: Allows external systems (like Aruba ClearPass, Cisco ISE, custom scripts) to push IP-to-user mappings directly to the firewall or User-ID Agent via an API call.
• Syslog Integration: Parsing syslog messages from various sources (VPN concentrators, wireless controllers, proxies) that contain IP and username information in a predefined format. Requires creating Syslog Parse Profiles.
• Exchange Monitoring: Monitoring Microsoft Exchange Server logs for user activity associated with IPs.
• eDirectory Monitoring: (Agent Only) Monitoring Novell eDirectory environments.
• Client Probing: (Agent Only - Less common/recommended) The Agent probes client workstations using WMI or NetBIOS to determine the logged-on user. Can cause performance issues and requires endpoint firewall exceptions.
• Port Mapping: (Agent Only - Terminal Services/Citrix) The Agent installed on a Terminal Server maps users to specific source port ranges.

Architecture and Function

• A separate piece of software installed on a Windows Server (can be member server or DC, member server preferred).
• This Agent server acts as the central collector of IP-to-user mapping information from various configured sources.
• The Agent then redistributes these mappings securely to one or more Palo Alto Networks firewalls or Panorama.

Mapping Methods Used by the Agent:

• Server Monitoring (Primary): Connects to Domain Controllers (DCs) using a service account via WMI or WinRM to remotely read Security Event Logs for logon events. Can also receive Syslog from DCs.
• Exchange Monitoring: Connects to Exchange servers.
• eDirectory Monitoring: Connects to eDirectory servers.
• Client Probing: Can initiate NetBIOS or WMI probes to client endpoints (requires firewall exceptions on clients).
• Port Mapping (TS Agent): A specific component installed directly on Terminal Servers/Citrix XenApp servers.
• Syslog Integration: Listens for syslog messages matching configured profiles.
• XML API Integration: Can receive mappings via API calls from other systems.
• Domain Credential Submission: Can receive usernames from proxies via X-Forwarded-For headers.

Pros:

• Scalability: Can monitor a large number of Domain Controllers and handle high mapping rates efficiently. Offloads processing from the firewall's management plane.
• Dedicated Resources: Runs on its own server resources.
• Broader Source Compatibility: Historically supported more diverse sources like eDirectory more robustly.
• Centralized Collection Point: Gathers mappings from many sources and distributes to many firewalls.

Cons:

• Requires Dedicated Windows Server(s): Adds infrastructure overhead (OS license, server maintenance, patching). High Availability requires multiple Agent instances.
• Agent Installation & Maintenance: Requires installing, configuring, and updating the agent software.
• Network Connectivity: Requires reliable network connectivity between the Agent server, Domain Controllers, and the Firewalls/Panorama. Firewall rules needed.
• Service Account Permissions: Requires a service account with specific, potentially complex permissions on DCs (Event Log Readers, WMI/WinRM access).

Architecture and Function

• The User-ID mapping collection logic runs directly on the firewall's management plane (as the "PAN-OS Integrated User-ID Agent").
• The firewall itself connects to configured sources to gather mappings.
• No separate Windows server or software installation is required.

Mapping Methods Used by Agentless User-ID:

• Server Monitoring (Primary): The firewall directly connects to Domain Controllers using WMI or WinRM (using configured service account credentials) to read Security Event Logs for logon events.
• Exchange Monitoring: Firewall connects directly to Exchange servers.
• Syslog Integration: Firewall listens directly for syslog messages matching configured Syslog Parse profiles.
• XML API Integration: Firewall receives mappings directly via API calls.
• Captive Portal: Firewall handles authentication and mapping directly.
• GlobalProtect: Firewall handles authentication and mapping directly.

Agentless User-ID does *not* support Client Probing or eDirectory Monitoring directly from the firewall.

Pros:

• Simplified Deployment: No need for separate agent software or dedicated Windows servers. Easier initial setup, especially for smaller environments.
• Reduced Infrastructure Footprint: Fewer components to manage, patch, and license (no extra Windows Server OS).
• Direct Integration: Configuration is done directly on the firewall/Panorama.

Cons:

• Management Plane Load: Mapping collection and processing consumes firewall management plane CPU and memory resources. Can become a bottleneck in very large environments with many DCs or high logon rates.
• Direct Connectivity/Permissions Required: The firewall's management interface (or a specified Service Route) needs direct network connectivity and appropriate permissions (via the service account) to query Domain Controllers (WMI/WinRM).
• Source Limitations: Doesn't support Client Probing or eDirectory natively.
• Scalability Limits: May not scale as efficiently as the dedicated Windows Agent for extremely large numbers of DCs or users.

Regardless of the method (Agent or Agentless), several common configuration elements are required:

• Service Account: An Active Directory service account with the necessary permissions is crucial. Required permissions typically include:
  • Membership in `Domain Users`.
  • Membership in `Event Log Readers`.
  • Permissions for WMI (`Windows Management Instrumentation`) or WinRM (`Windows Remote Management`) on the Domain Controllers being monitored. This often involves specific WMI namespace permissions and potentially firewall exceptions on the DCs.
  • (For Exchange Monitoring) Specific Exchange permissions.
• Server Monitoring Configuration:
  • **On Agent:** Configure the Agent software to monitor specific DCs (or auto-discover), specifying the service account.
  • **On Firewall (Agentless):** Configure under Device > User Identification > User Mapping > Server Monitoring , specifying DCs and the service account.
• Firewall Connectivity: Ensure firewall rules permit communication:
  • DCs <-> Agent Server (WMI/WinRM/Syslog, etc.)
  • Agent Server -> Firewalls/Panorama (TCP/5007 default)
  • Firewall -> DCs (WMI/WinRM for Agentless)
  • Firewall <-> Syslog/RADIUS/XML API sources
• User-ID Agent Configuration (Firewall Side): ( Device > User Identification > User-ID Agents ) Configure the firewall to connect to and trust the Windows User-ID Agent server(s) if using the agent method.
• Group Mapping: ( Device > User Identification > Group Mapping Settings ) Configure the firewall to connect to LDAP or AD to retrieve group membership information. This allows using AD groups (e.g., `Sales-Users`, `IT-Admins`) in policies.
• User-ID Enabled Zones: ( Network > Zones > [Zone Name] ) Enable User-ID collection on the zones where user traffic originates (typically internal/trusted zones).
• Mapping Timeouts: ( Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Caching ) Configure appropriate timeouts for IP-to-user mappings.

Caveats and Gotchas

For the PCNSE exam, regarding User-ID Agent vs. Agentless:

• Understand the fundamental purpose of User-ID: Mapping IPs to Users for policy and visibility.
• Clearly differentiate between the Windows User-ID Agent (separate server) and Agentless User-ID (PAN-OS Integrated Agent on firewall).
• Identify the primary method for gathering domain user mappings: Server Monitoring (reading DC Security Event Logs).
• Know the technologies used for Server Monitoring (WMI, WinRM, Syslog).
• List other common mapping sources (GP, Captive Portal, XML API, Syslog, RADIUS).
• Understand the role and requirement of a Service Account with appropriate permissions.
• Know the basic pros and cons/scalability differences between Agent and Agentless methods.
• Recognize where User-ID mappings are used (Security Policy, QoS, Decryption, Logging, Reporting).
• Know where to configure Server Monitoring (Agent software vs. Device > User Identification on firewall).
• Understand the need for Group Mapping to use AD groups in policy.
• Be aware of the need to enable User-ID on specific Zones .

References

• PAN-OS Admin Guide: User-ID Concepts
• Map Users to Groups