The User-ID feature of the Palo Alto Networks NGFW enables you to create policy rules and perform
reporting based on users and groups rather than on individual IP addresses.
User-ID seamlessly integrates Palo Alto Networks firewalls with a range of enterprise directory and terminal services offerings, thus enabling you to associate application activity and policy rules to users and groups, not just IP addresses. Furthermore, with User-ID enabled, the Application Command Center (ACC), App Scope, reports, and logs all include usernames in addition to user IP addresses. For user-based and group-based policies, the firewall requires a list of all available users and their corresponding group mappings that you can select when defining your policies. The firewall collects group mapping information by connecting directly to your LDAP directory server. No other types of directory services are supported for group mapping.
Before the firewall can enforce user-based and group-based policies, it must be able to map the IP addresses based in the packets it receives to usernames. User-ID provides many mechanisms to collect this user-based mapping information. A User-ID agent process runs either on the firewall (agentless implementation) or is installed as a separate process on a Microsoft Windows-based host. This User-ID agent monitors various network technologies for authentication events and gathers the data, creating a master IP-address-to-user mapping table stored in the firewall. For example, the User-ID agent monitors server logs for login events, probes clients, and listens for syslog messages from authenticating services. To identify mappings for IP addresses that the agent did not map, you can configure the firewall to redirect HTTP requests to a Captive Portal login. You can customize the user mapping mechanisms to suit your environment, and even use different mechanisms at different sites.
Mapping IP Addresses to Usernames
Today’s working environment is extremely dynamic. Users no longer are restricted to using just one device, a computer, on the network. A user may be using a smartphone, tablet, desktop, and a laptop. Each device is given an IP address dynamically by a DHCP server, which makes tracking the user difficult and almost impossible to control. Use of a username is easier than use of an IP address to control and log a user’s activity. The process of mapping a username to an IP address is the function of User-ID.
The different methods of user mapping are as follows:
- Server Monitoring: A Windows-based User-ID agent, or the built-in PAN-OS integrated User-ID agent inside the PAN-OS firewall, monitors Security Event logs for successful login and logout events on Microsoft domain controllers, Exchange Servers, or Novell eDirectory servers.
- Port mapping: For Microsoft Terminal Services or Citrix environments, users might share the same IP address. To overcome this issue, the Palo Alto Networks Terminal Services agent must be installed on the Windows or Citrix terminal server. The Terminal Services Agent uses the source port of each client connection to map each user to a session. Linux terminal servers do not support the Terminal Services agent and must use XML API to send user mapping information from login or logout events to User-ID.
- Syslog: The Windows-based User-ID agent and the PAN-OS integrated User-ID agent use Syslog Parse Profiles to interpret login and logout event messages that are sent to syslog servers from devices that authenticate users. Such devices include wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, and other network access control (NAC) devices.
- XFF headers: If a proxy server exists between users and a firewall, the firewall might see the source IP address of the proxy server instead of the original source IP address of the host that originated the traffic. Most proxy servers have a feature that allows forwarding of the original source IP address of the host to the firewall within an XFF header. Use of the original client source IP address enables the firewall to map the IP address to a username.
- Authentication policy and Captive Portal: The User-ID agent sometimes cannot map an IP address to a username using any of the methods described. In these cases, you can use an Authentication policy and Captive Portal, whereby any web traffic (HTTP or HTTPS) that matches an Authentication policy rule forces the user to authenticate via one of the following three Captive Portal authentication methods:
- Browser Challenge: Uses Kerberos or NT LAN Manager (NTLM)
- Web Form: Uses multi-factor authentication, SAML single sign-on, Kerberos, TACACS+, RADIUS, LDAP, or local authentications
- Client certificate authentication
- GlobalProtect: Mobile users have an application running on their endpoint for which they must enter login credentials for VPN access to the firewall. The login information is used for User-ID mapping. GlobalProtect is the most recommended method to map device IP addresses to usernames.
- XML API: The PAN-OS XML API is used in cases where standard user mapping methods might not work, such as third-party VPNs or 802.1x-enabled wireless networks.
- Client Probing: Used in a Microsoft Windows environment where the User-ID agent probes client systems using Windows Management Instrumentation (WMI) and/or NetBIOS. Client Probing is not a recommended method for user mapping.
Identifying User-ID Agent to Deploy
User-ID has two agents that can be used to monitor the servers and gather the User-ID information. One is the built-in agent, called the integrated agent, inside the PAN-OS firewall. The other agent is a Windows-based client that for 8.0 and later can be installed on any Windows server 2008 or later system. Both agents have the same functionality. Several factors can determine which agent to use.
An organization might choose to use the Windows agent if it has more than 100 domain controllers because neither type of agent can monitor more than 100 domain controllers or 50 syslog servers. Another reason to choose the Windows agent over the integrated PAN-OS agent is to save processing cycles on the firewall’s management plane.
However, if network bandwidth is an issue, you might want to use the PAN-OS integrated agent because it communicates directly with the servers, whereas the Windows agent communicates with the servers and then communicates the User-ID information to the firewall so that it can update the firewall database.
Methods of User-ID Redistribution
Every firewall that enforces user-based policy requires user mapping information. In a large-scale network, instead of configuring all your firewalls to directly query the mapping information sources, you can streamline resource usage by configuring some firewalls to collect mapping information through
redistribution. Redistribution also enables the firewalls to enforce user-based policies when users rely on
local sources for authentication but need access to remote services and applications The Data Redistribution feature allows a firewall to be a source of IP user mappings, among other types of data, for any device that is configured to communicate with the agent service of that source firewall or via Panorama.
If you configure Authentication policy, your firewalls also must redistribute the authentication timestamps
that are generated when users authenticate to access applications and services. Firewalls use the
timestamps to evaluate the timeouts for Authentication policy rules. The timeouts allow a user who
successfully authenticates to later request services and applications without authenticating again within the timeout periods. Redistribution of timestamps enables you to enforce consistent timeouts across all the firewalls in your network.
Firewalls share user mappings and authentication timestamps as part of the same redistribution flow; you do not have to configure redistribution for each information type separately.