Introduction: Obtaining User Information

Palo Alto Networks User-ID feature fundamentally relies on obtaining accurate mappings between IP addresses currently in use on the network and the usernames associated with those IPs. This mapping allows the firewall to enforce user- and group-based policies and provide user-centric visibility in logs and reports.

PAN-OS offers a variety of methods to gather this mapping information, catering to different network environments, authentication systems, and device types. Understanding these methods is crucial for designing and implementing an effective User-ID solution.

1. Server Monitoring (Event Log Scraping)

• How it works: The User-ID component (either the Windows Agent or the PAN-OS Integrated Agent) monitors security event logs on directory servers (primarily Microsoft Active Directory Domain Controllers) for successful user logon events (e.g., Event ID 4624). These events contain both the username and the source IP address of the login attempt.
• Mechanism: Typically uses Windows Management Instrumentation (WMI) or Windows Remote Management (WinRM) to query DCs remotely. Requires a service account with appropriate permissions (Event Log Readers, WMI/WinRM access). Can also use Syslog forwarding from DCs.
• Pros: Highly reliable for domain-joined Windows clients, captures standard domain logons accurately, often considered the primary method in AD environments.
• Cons: Requires service account permissions, firewall rules between collector and DCs, potential issues with DC log rollover speed, doesn't capture non-domain logons.
• Agent/Agentless: Can be performed by both the Windows Agent and the Agentless PAN-OS Integrated Agent.

2. GlobalProtect Authentication

• How it works: When users successfully authenticate to a GlobalProtect Portal or Gateway (using LDAP, SAML, RADIUS, etc.), the firewall automatically creates an IP-to-user mapping based on the authenticated username and the IP address assigned to the client from the IP pool.
• Mechanism: Integrated directly into the GlobalProtect connection process.
• Pros: Very reliable for VPN users, requires no separate configuration beyond standard GP setup, captures users regardless of their location or device domain status.
• Cons: Only provides mappings for active GlobalProtect users.
• Agent/Agentless: Managed directly by the firewall component hosting the GP Portal/Gateway.

3. Captive Portal Authentication

• How it works: Users attempting to access network resources are redirected to a web page (Captive Portal) hosted by the firewall, where they must authenticate (e.g., against AD/LDAP, RADIUS, local DB). Upon successful authentication, the firewall maps the user's source IP to their username.
• Modes:
  • Active (Transparent): Redirects specific protocols like HTTP/HTTPS automatically.
  • Passive (Redirect): Requires an initial connection attempt that gets redirected by policy. Often used for non-web protocols or broader coverage.
  • NTLM Authentication: Can attempt transparent authentication for domain users in some browser scenarios.
• Pros: Effective for guest networks, BYOD scenarios, non-domain users, and environments without easy access to DC logs. Can enforce Acceptable Use Policies (AUP).
• Cons: Can be disruptive to user experience (especially redirect modes), relies on browser interaction, potential for session timeouts requiring re-authentication.
• Agent/Agentless: Managed directly by the firewall.

4. XML API Integration

• How it works: The firewall provides an XML API that allows external systems to programmatically push IP-to-user mappings. The external system is responsible for determining the mapping (e.g., via RADIUS accounting, 802.1X authentication, wireless controller logins).
• Mechanism: The external system sends specifically formatted XML messages containing IP, username, and optional timeout values to the firewall's API endpoint.
• Pros: Highly flexible, integrates with virtually any system capable of sending API calls (NAC solutions like Cisco ISE/Aruba ClearPass, custom scripts, DHCP servers, VPN concentrators). Enables mapping in complex or non-standard environments.
• Cons: Requires configuration and potentially development effort on the external system sending the mappings. Relies on the accuracy and timeliness of the external system.
• Agent/Agentless: Mappings are received directly by the firewall or can be sent to the Windows Agent.

5. Syslog Integration

• How it works: The User-ID component (Agent or Firewall) listens for Syslog messages sent from other network devices (e.g., VPN concentrators, wireless controllers, proxy servers). It uses predefined or custom Syslog Parse Profiles to extract the IP address and username from specific log message formats.
• Mechanism: Requires configuring the source device to send relevant logs to the User-ID Agent/Firewall and configuring matching Parse Profiles on the PAN-OS side.
• Pros: Leverages existing logging infrastructure, useful for getting mappings from devices that don't support direct integration or the API.
• Cons: Relies heavily on consistent and predictable log formats from the source device. Requires creating and testing potentially complex regular expressions for parsing. Can be less reliable than other methods if log formats change.
• Agent/Agentless: Can be performed by both the Windows Agent and the Agentless PAN-OS Integrated Agent.

6. Server Monitoring (Exchange)

• How it works: The User-ID component (Agent or Firewall Integrated Agent) monitors Microsoft Exchange Server logs (specifically IIS logs on Client Access Servers) to correlate user email activity (like Outlook Web Access logins) with the client IP addresses accessing the service.
• Use Case: Can supplement Domain Controller monitoring, especially for identifying users connecting from non-Windows clients (like macOS using native mail clients or mobile devices) or in scenarios where DC logs might miss certain types of authentication events related to Exchange access.
• Requirements: Service account with permissions to read IIS logs on relevant Exchange servers, network connectivity.
• Pros: Provides mappings for certain types of clients/access missed by DC monitoring.
• Cons: Less common now with the shift to cloud-based email (Office 365), only captures users actively interacting with the monitored Exchange components, requires specific Exchange server access/permissions.
• Agent/Agentless: Supported by both the Windows Agent and the PAN-OS Integrated Agent.

Introduction: Identifying the User

The User-ID feature is a cornerstone of the Palo Alto Networks platform, enabling visibility and control based on user identity rather than just IP addresses. To achieve this, the firewall needs reliable methods to learn which user is associated with which IP address at any given time. PAN-OS supports a variety of methods, often used in combination, to gather this critical IP-address-to-username mapping information.

Understanding these different methods, their use cases, requirements, and limitations is essential for successfully deploying and troubleshooting User-ID.

The firewall (either directly via the PAN-OS Integrated User-ID Agent or indirectly via the Windows User-ID Agent ) can leverage the following sources to obtain IP-to-user mappings:

• Server Monitoring: Monitoring authentication event logs on directory servers (e.g., Active Directory Domain Controllers).
• Port Mapping (Terminal Services Agent): Mapping users on multi-user systems (RDS/Citrix) based on source port ranges (Requires Windows Agent).
• Client Probing: Actively probing client workstations (Requires Windows Agent).
• GlobalProtect: Using authentication logs from GlobalProtect Portal/Gateway connections.
• Captive Portal: Using authentication logs from Captive Portal sessions.
• Syslog Integration: Parsing username and IP information from syslog messages sent by other network devices (VPNs, WLAN controllers, proxies, etc.).
• XML API / REST API: Receiving mappings pushed from external systems (NAC, ClearPass, ISE, custom scripts) via the API.
• Exchange Monitoring: Monitoring Microsoft Exchange server logs.
• eDirectory Monitoring: Monitoring Novell eDirectory environments (Requires Windows Agent).

Often, multiple methods are deployed concurrently to achieve comprehensive coverage across different user types and access methods.

6. Server Monitoring (Exchange)

• How it works: The User-ID agent—either the Windows-based agent or the PAN-OS integrated agent—monitors the security event logs on Microsoft Exchange Servers to identify user login events. This includes monitoring for events such as Kerberos ticket grants or renewals and Exchange server access. By analyzing these logs, the agent maps IP addresses to usernames, facilitating user-based policy enforcement.
• Use Case: This method is particularly useful for capturing login events from non-Windows clients (e.g., macOS, Linux, mobile devices) that may not authenticate directly with domain controllers but access Exchange services. It supplements domain controller monitoring to provide a more comprehensive view of user activity.
• Requirements: A dedicated service account with the necessary permissions to read security logs on Exchange servers. The account should be a member of the Event Log Readers group. Additionally, network connectivity between the User-ID agent and the Exchange servers is required.
• Pros: Enhances user mapping accuracy by capturing login events that might be missed by domain controller monitoring alone, especially for clients accessing Exchange services without traditional domain authentication.
• Cons: With the increasing adoption of cloud-based email solutions like Office 365, on-premises Exchange server monitoring is becoming less common. Additionally, this method only captures users who actively interact with the monitored Exchange components and requires specific access permissions to the Exchange servers.
• Agent/Agentless: Supported by both the Windows-based User-ID agent and the PAN-OS integrated User-ID agent.

2. Port Mapping (Terminal Services / Citrix)

• How it Works: A specific Terminal Services (TS) Agent component (part of the Windows User-ID Agent package) is installed directly on multi-user servers (Microsoft RDS or Citrix XenApp). This agent monitors user logons *on that server* and allocates ranges of source ports to each user session. When traffic leaves the server, the firewall uses the combination of the server's IP address and the source port range to identify the specific user.
• Requirements: Windows User-ID Agent installed on the Terminal Server(s). Firewall configured to connect to the TS Agent.
• Use Case: Accurately identifying individual users connecting through shared-IP environments like RDS or Citrix.
• Pros: Provides accurate mapping in multi-user shared IP scenarios.
• Cons: Requires agent installation on each TS/Citrix server, only applies to traffic originating from those servers. Mappings are NOT shared via User-ID Hub.

3. Client Probing (Windows Agent Only)

• How it Works: The Windows User-ID Agent actively attempts to connect to client workstations (using NetBIOS or WMI) within specified subnets to determine the currently logged-on user.
• Requirements: Windows User-ID Agent, network connectivity from Agent to clients, firewall exceptions on clients to allow NetBIOS/WMI probes, administrative credentials for probing.
• Use Case: Primarily used as a supplemental method to verify mappings or identify users on workstations where server monitoring might miss events (less common now).
• Pros: Can potentially identify users missed by passive methods.
• Cons: Intrusive, high network overhead, often blocked by endpoint firewalls, security concerns regarding credentials, performance impact on Agent and clients. Generally discouraged as a primary method.

4. GlobalProtect Authentication Logs

• How it Works: When a user successfully authenticates to a GlobalProtect Portal or Gateway configured on the firewall, the firewall automatically creates an IP-to-user mapping based on the authenticated username and the IP address assigned to the client from the IP pool.
• Requirements: Functional GlobalProtect Portal/Gateway deployment.
• Use Case: Identifying remote users connected via VPN.
• Pros: Automatic, reliable for GP users, integrates seamlessly.
• Cons: Only maps users currently connected via GP.

5. Captive Portal

• How it Works: When unmapped users attempt to access resources requiring authentication (typically internet access), the firewall redirects them to a web page (Captive Portal). Upon successful authentication (against LDAP, RADIUS, SAML, etc.), the firewall creates an IP-to-user mapping for that client's source IP address. Can operate in Transparent mode (redirect) or Redirect mode (explicit proxy-like). NTLM authentication is also an option for domain environments.
• Requirements: Captive Portal configured on relevant zones/interfaces, Authentication Profile.
• Use Case: Identifying guest users, BYOD users, users on non-domain machines, or as a fallback identification method.
• Pros: Can map users regardless of device/domain status, forces authentication.
• Cons: Can be disruptive to user experience, relies on browser interaction, potential for session hijacking if not secured properly (use SSL).

6. Syslog Integration

• How it Works: The firewall (or Windows Agent) listens for syslog messages sent from other network devices (e.g., wireless controllers, VPN concentrators, proxy servers, RADIUS servers). Custom Syslog Parse Profiles are created to extract the username and IP address from specific log message formats.
• Requirements: External device capable of sending relevant syslog messages, network connectivity, correctly configured Syslog Parse Profiles on the firewall/agent.
• Use Case: Integrating User-ID information from diverse third-party systems that log authentication or IP assignment events.
• Pros: Highly flexible integration method.
• Cons: Relies on consistent log formats from third-party devices, requires potentially complex regex parsing configuration, can be fragile if log formats change.

7. XML API / REST API

• How it Works: External identity and access management systems (like Cisco ISE, Aruba ClearPass, other NAC solutions) or custom scripts can directly push IP-to-user mappings to the firewall (or Windows Agent) using the PAN-OS XML or REST API. Mappings can include username, IP, and even group membership.
• Requirements: External system capable of making API calls, API key configured on the firewall/agent, network connectivity.
• Use Case: Integrating with advanced NAC/identity solutions, providing mappings for complex scenarios (e.g., dynamic VLANs, device posture changes from NAC).
• Pros: Powerful integration, allows near real-time updates from authoritative sources.
• Cons: Requires configuration/scripting on the external system, relies on the external system's accuracy.

8. Other Monitoring Methods

• Exchange Monitoring: The Agent or firewall connects to Microsoft Exchange servers to map IPs based on user activity logs. Less common now with cloud mail adoption.
• eDirectory Monitoring (Agent Only): The Windows Agent connects to Novell eDirectory servers to gather mappings.

For the PCNSE exam, concerning User-ID methods:

• Be able to list and describe the primary User-ID mapping methods (Server Monitoring, GP, Captive Portal, Syslog, API are key).
• Understand the primary use case for each major method (e.g., Server Monitoring for domain users, GP for remote access, Captive Portal for guests/unknowns, API/Syslog for integration).
• Know the basic requirements for key methods (e.g., Service Account for Server Monitoring, Syslog Parse Profiles for Syslog).
• Differentiate between methods available only with the Windows Agent (Client Probing, Port Mapping/TS Agent, eDirectory) vs. those available with Agentless User-ID (Server Monitoring, Syslog, API, GP, CP).
• Understand that multiple methods are often used together for comprehensive coverage.

7. Client Probing (Windows Agent Only)

• How it works: The Windows User-ID Agent actively queries client workstations using WMI or NetBIOS protocols to determine the currently logged-in user for a given IP.
• Use Case: Can be used as a fallback or in environments where DC log access is problematic.
• Cons: Generally discouraged. Can be resource-intensive for the agent and clients, requires firewall exceptions on endpoints, potential for false positives, security concerns about probing.

8. Port Mapping (Terminal Server / TS Agent)

• How it works: Requires a specific component (TS Agent) installed directly on Microsoft Terminal Servers or Citrix XenApp servers. This agent monitors user logons to the server and allocates a unique range of source ports to each user session. It sends this user-to-port-range mapping along with the server's IP to the main User-ID Agent or Firewall. The firewall then uses the combination of Server IP + Source Port Range to identify the user.
• Use Case: Essential for accurately identifying individual users connecting through multi-user systems like Terminal Servers or Citrix, where multiple users share the same server IP address.
• Agent/Agentless: Requires the TS Agent component on the server, which then communicates with either the Windows User-ID Agent or directly with the firewall (configured as an agent connection).

9. eDirectory Monitoring (Windows Agent Only)

• How it works: The Windows User-ID Agent monitors Novell eDirectory servers for user logon events.
• Use Case: For environments using Novell eDirectory as their primary directory service.

For the PCNSE exam, understand:

• The different methods available for gathering IP-to-User mappings.
• The primary function and typical use case for each major method: Server Monitoring, GlobalProtect, Captive Portal, XML API, Syslog Parsing .
• The basic requirements for Server Monitoring (Service Account, Permissions, WMI/WinRM).
• How GlobalProtect and Captive Portal generate mappings through authentication.
• The role of the XML API and Syslog Parsing for integration with other systems.
• The specific purpose of the Terminal Server (TS) Agent and Port Mapping.
• The general difference between the Windows Agent and Agentless User-ID architectures.
• The importance of using multiple methods for comprehensive coverage.
• How to handle non-domain users and shared IP environments (like Terminal Servers).

References

• PAN-OS Admin Guide: User-ID Methods
• PAN-OS Admin Guide: User-ID Concepts (Overview)
• PAN-OS Admin Guide: Map IP Addresses to Users (Covers multiple methods)
• Deploy User-ID in a Terminal Server Environment
• User-ID XML API Reference
• Knowledge Base: User-ID Configuration Guide
• Palo Alto Networks Certified Network Security Engineer (PCNSE) Exam Blueprint