BLOG ������

Palo Alto - Configure Agentless User-ID

Configure the following on the Active Directory (AD) Server and the Palo Alto Networks device:

1. Create the service account in AD, which is utilized on the device. Be sure the user is part of thethe following Groups:
   - Distributed COM Users
   - Event Log Readers
   - Server Operators
   Note: Domain Admin privileges are not required for the User-ID service account to function properly, see Best Practices for Securing User-ID Deployments for more information.
   
   In Windows 2003, the service account must be given the “Audit and manage security log” user right through a group policy. Making the account a member of the Domain Administrators group provides rights for all operations. The built-in group named “Event Log Readers” is not available in Windows 2003.
   
   
   
2. The device uses WMI Authentication and the user must modify the CIMV2 security properties on the AD server that connects to the device.
   
   
3. Run 'wmimgmt.msc' on the command prompt to open the console and select these properties:

   
   
   

4. From the Security tab on WMI Control Properties:
   1.) Select the CIMV2 folder.
   2.) Click Security,
   3.) Click Add and then select the service account from Step 1.
   4.) In this case, it is userid@pantac.lab. 
   5.) For this account, check both Allow for Enable Account and Remote Enable:
   6.) Click Apply,
   7.) Then click OK.
   
   
   

5. Back in the Palo Alto WebGUI, Select Device > User Identification > User Mapping, then click the edit sproket in the upper right corner to complete the Palo Alto Networks User-ID Agent Setup.

6. Be sure to configure with the domain\username format for username under WMI Authentication tab along with valid credentials for that user.
   
   
7. Enable the Server Monitor options and enable the security log/enable session accordingly.
   Client probing is enabled by default, so disable if desired.
   
   
8. If the domain is configured during Setup in the General Settings/Domain field, the user can elect to discover servers with which to connect. If not, manually add a server to the device:
   
   

9. Confirm connectivity through the WebGUI or the CLI:

   > show user server-monitor statistics 
   
   Directory Servers:  
   Name                           TYPE     Host            Vsys    Status           
   -----------------------------------------------------------------------------   
   pantacad2003.pantac.lab        AD       pantacad2003.pantac.lab vsys1   Connected      

   

10. Confirm that ip-user-mapping is working.
    

    > show user ip-user-mapping all
    
    IP              Vsys  From    User                            IdleTimeout(s) MaxTimeout(s)
    --------------- ------ ------- -------------------------------- -------------- ----------
    192.168.28.15    vsys1  AD      pantac\tom                      2576          2541
    192.168.29.106   vsys1  AD      pantac\userid                   2660          2624
    192.168.29.110   vsys1  AD      pantac\userid                   2675          2638
    Total: 3 users

11. Ensure Enable User Identification is enabled on the zones where identifiable traffic will be initiated. Select the zone in Network > Zone.
    

Relate Post : Palo Alto - Allow non-Syn First Packet Palo Alto - Virtual Wire mode Palo Alto – User-ID agent configuration Palo Alto - Using a dynamic public IP address Palo Alto - VM Series to Work in L3 without Promiscuous Mode Palo Alto - Understanding NAT and Security Policies Palo Alto - Firewall Basic Installation Palo Alto - Globalprotect Active Director auth Palo Alto - LDAP and Group Mapping config guide Palo Alto - Factory Default
Comments :
No Comments

Post your comment:

Post your comment by Guest :

Verify Code :