article Guide and Video Demo: User-ID on Cloud NGFW for Azure in Cloud NGFW for Azure Articles

article Guide and Video Demo: User-ID on Cloud NGFW for Azure in Cloud NGFW for Azure Articles https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/guide-and-video-demo-user-id-on-cloud-ngfw-for-azure/ta-p/589026 <DIV class="lia-message-template-content-zone"> <P> </P> </DIV> <DIV class="lia-message-template-content-zone"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Title_User-ID-CNGFW-Azure_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60249i1F2E07E049AF2EED/image-size/large?v=v2&px=999" role="button" title="Title_User-ID-CNGFW-Azure_palo-alto-networks.jpg" alt="Title_User-ID-CNGFW-Azure_palo-alto-networks.jpg" /></span></P> <H2><FONT color="#FF6600"><STRONG>About This Guide</STRONG></FONT></H2> <P> </P> <P><SPAN><STRONG><FONT color="#FF6600">Cloud NGFW</FONT></STRONG> is the industry’s only machine learning (ML)-powered NGFW delivered as a cloud-native service on <FONT color="#FF6600"><STRONG>Azure</STRONG></FONT>. With Cloud NGFW, you can run more apps securely at cloud speed and cloud-scale with an actual cloud-native experience. You get to experience the best of both worlds with natively integrated network security delivered as a service on Azure.</SPAN></P> <P> </P> <P><SPAN>The user identity, as opposed to an IP address, is an integral component of an effective security infrastructure. Knowing who is using each of the applications on your network, and who may have transmitted a threat or is transferring files, can strengthen security policies and reduce incident response times. User-ID™, a standard feature on the Palo Alto Networks firewall, enables you to leverage user information stored in a wide range of repositories. </SPAN></P> <P> </P> <P><SPAN>In this guide, we will discuss how to enable user-id on Cloud NGFW for Azure and use user-id in policy definition and traffic monitoring.</SPAN></P> <P> </P> <H2><FONT color="#FF6600"><STRONG>Sample Topology</STRONG></FONT></H2> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 1_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60223i7BE0B30B51AC9473/image-size/large?v=v2&px=999" role="button" title="Fig 1_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 1_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <P><STRONG>As per above test topology we have a Windows server with Active Directory configured. There are two Test Users added to the active directory. Within the user subnet there are two user machines(Testuser1 and Testuser2) that will be used to generate user traffic.</STRONG></P> <P><STRONG>Cloud NGFW is integrated with Azure Virtual WAN.</STRONG></P> <P> </P> <H2><FONT color="#FF6600"><STRONG>User-ID with PanOS Integrated Agent</STRONG></FONT></H2> <H4> </H4> <H3><STRONG>Prerequisite</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Configure the </SPAN><A href="https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent" target="_blank" rel="noopener"><SPAN>service</SPAN> <SPAN>account</SPAN></A><SPAN> with Remote Management User and CIMV2 privileges for the server you want to monitor</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><A href="https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-server-monitoring-using-winrm" target="_blank" rel="noopener"><SPAN>Configure server monitoring using WinRM</SPAN></A><SPAN> over HTTPS with Basic Authentication</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Create Test users and Groups on Windows server</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Security Policy on Cloud NGFW to allow communication with LDAP/Windows server with Active directory</SPAN></LI> </UL> <P> </P> <H3><STRONG>Import Root Certificate (from Windows Server) on to Panorama</STRONG></H3> <P><SPAN>Import the root certificate onto Panorama as shown below. This is the CA certificate that's available on Windows server acting as Active directory.</SPAN></P> <DIV id="tinyMceEditorrpegada_1" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 2_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60224i3AEF1C557C0E0DAD/image-size/large?v=v2&px=999" role="button" title="Fig 2_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 2_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <H3><STRONG>Add Certificate Profile</STRONG></H3> <P><SPAN>After importing the root certificate in the above step, now add a certificate profile using the certificate imported as shown below</SPAN></P> <DIV id="tinyMceEditorrpegada_2" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 3_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60225i6C61C8C1AAD75523/image-size/large?v=v2&px=999" role="button" title="Fig 3_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 3_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <H3><STRONG>Add Certificate Profile to User-ID Connection Security</STRONG></H3> <P><SPAN>Now add this certificate profile to User-ID connection security as shown below.</SPAN></P> <P><SPAN>You need to click on the Gear icon to add a user-id Certificate Profile.</SPAN></P> <DIV id="tinyMceEditorrpegada_3" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 4_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60226i20210404C8E85D89/image-size/large?v=v2&px=999" role="button" title="Fig 4_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 4_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <H3><STRONG>Configure Server Monitor account</STRONG></H3> <P><SPAN>Login to Panorama and configure server monitor account as shown in below screenshot.</SPAN></P> <P><SPAN>Go to </SPAN><I><SPAN>DEVICE > User Identification > User Mapping</SPAN></I><SPAN> and click on Gear icon to configure Server Monitor Account.</SPAN></P> <P> </P> <P><SPAN>Over here you need to provide the user name and password details of the service account that you have created on Windows server as part of prerequisites.</SPAN></P> <DIV id="tinyMceEditorrpegada_4" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 5_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60227iF231B03BE6A21F96/image-size/large?v=v2&px=999" role="button" title="Fig 5_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 5_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <H3><STRONG>Configure Server Monitoring with WinRM-HTTPS Transport Protocol</STRONG></H3> <P><SPAN>Configure server monitoring by going to </SPAN><I><SPAN>DEVICE > User Identification > User Mapping > Server Monitoring </SPAN></I></P> <P><SPAN>Over here you need to specify the Type as Microsoft Active Directory, Transport Protocol as WinRM-HTTPS and the Network Address as your Windows server address where you have an active directory configured.</SPAN></P> <P><SPAN>Commit and push the configuration</SPAN></P> <P> </P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 6_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60228i71CF8BBD4A878D26/image-size/large?v=v2&px=999" role="button" title="Fig 6_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 6_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></SPAN></P> <P> </P> <H3><STRONG>Enable User-ID on Cloud NGFW</STRONG></H3> <P><SPAN>Now you can go ahead and enable User-ID on Cloud NGFW network interfaces. </SPAN></P> <P><SPAN>Since cloud ngfw is a service and we don't have any control over network configuration on Cloud NGFW, you can override Private and Public zones as shown below and enable User-ID</SPAN></P> <DIV id="tinyMceEditorrpegada_6" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 7_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60229i8D83FEC88A6606E8/image-size/large?v=v2&px=999" role="button" title="Fig 7_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 7_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <P><SPAN> To </SPAN></P> <DIV id="tinyMceEditorrpegada_7" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 8_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60230iB1F458CD62ECF696/image-size/large?v=v2&px=999" role="button" title="Fig 8_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 8_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P><SPAN>Similarly override Public zone as well and enable User Identification.</SPAN></P> <P> </P> <H3><STRONG>Configure Service Route to Active Directory LDAP Server</STRONG></H3> <P><SPAN>In order to reach from Cloud NGFW to Active Directory we are now going to add a service route as shown below.</SPAN></P> <P><SPAN>Go to </SPAN><I><SPAN>Device > Setup > Services</SPAN></I><SPAN> and click on “Service Route Configuration” to add route to LDAP server.</SPAN></P> <DIV id="tinyMceEditorrpegada_8" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 9_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60231i9120FFFFE951D493/image-size/large?v=v2&px=999" role="button" title="Fig 9_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 9_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <P><SPAN>On clicking Service Route Configuration, you will be presented with the below mentioned screen where you need to select “Custom” and select LDAP service to add a route through Loopback.3 interface.</SPAN></P> <P><SPAN>Cloud NGFW internally uses Loopback.3 as a source interface to talk to Active Directory.</SPAN></P> <P> </P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 10_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 952px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60232i3C51058B50F669E3/image-size/large?v=v2&px=999" role="button" title="Fig 10_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 10_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></SPAN></P> <P> </P> <P><SPAN>Now add a service route based on Destination. Where the destination IP address Active Directory address.</SPAN></P> <P><SPAN>Select the source interface as Loopback.3 interface</SPAN></P> <P> </P> <P><SPAN>Commit and Push the configuration.</SPAN></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 11_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60233iA6022CCBF636DB29/image-size/large?v=v2&px=999" role="button" title="Fig 11_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 11_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 12_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60234i9D929AEA467694F4/image-size/large?v=v2&px=999" role="button" title="Fig 12_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 12_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <H3><STRONG>Configure LDAP Server Profile</STRONG></H3> <P><SPAN>Configure LDAP server profile as shown below.</SPAN></P> <P><SPAN>Go to </SPAN><I><SPAN>DEVICE > Server Profiles > LDAP </SPAN></I><SPAN>and click on Add to add LDAP server profile </SPAN></P> <DIV id="tinyMceEditorrpegada_12" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 13_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60235i4978051306D6B4EB/image-size/large?v=v2&px=999" role="button" title="Fig 13_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 13_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <P><SPAN>You can start with providing Profile Name and add Server list where you will specify your active directory server IP address.</SPAN></P> <P><SPAN>Now to fill in Server settings, you need to get Base DN and Bind DN from your active directory as shown below.</SPAN></P> <P> </P> <P><SPAN>On your windows server, open ADSI edit app as shown below</SPAN></P> <DIV id="tinyMceEditorrpegada_13" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 14_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60236iB968E1C106E09A33/image-size/large?v=v2&px=999" role="button" title="Fig 14_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 14_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <P><SPAN>You will be presented with below screen where you can select the username of the windows server to copy Bind DN details</SPAN></P> <DIV id="tinyMceEditorrpegada_14" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 15_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60237i459DAC0383946024/image-size/large?v=v2&px=999" role="button" title="Fig 15_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 15_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <P><SPAN>Use the copied Bind DN and and Base DN as part of server settings as shown below. Key in the password of your windows server and click on OK to add LDAP server profile</SPAN></P> <DIV id="tinyMceEditorrpegada_15" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 16_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60238i32CAF95CCEE8995C/image-size/large?v=v2&px=999" role="button" title="Fig 16_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 16_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <H3><STRONG>Configure Group Mapping Settings</STRONG></H3> <P><SPAN>In order to configure Group mapping you need to go to User Identification section as shown below and click on Add</SPAN></P> <DIV id="tinyMceEditorrpegada_16" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 17_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60240iA33E45E9C23B6E07/image-size/large?v=v2&px=999" role="button" title="Fig 17_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 17_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <P><SPAN>Select the server profile created in above step to add Group mapping as shown below</SPAN></P> <DIV id="tinyMceEditorrpegada_17" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 18_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60241iD5B21EDDEB21EABD/image-size/large?v=v2&px=999" role="button" title="Fig 18_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 18_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <H3><STRONG>Configure User-ID Master Device with Cloud NGFW Device Group</STRONG></H3> <P><SPAN>Go to your Cloud NGFW device group as shown below. You will need to select the backend instances of cloud NGFW(it will be 3 or more) by enabling the checkbox against the name of the instances</SPAN></P> <P><SPAN>Now enable “User ID Master Device” radio button and select one of the instance from the drop down to act as User ID master device</SPAN></P> <DIV id="tinyMceEditorrpegada_18" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 19_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60242iD38F087F9DA7F2D1/image-size/large?v=v2&px=999" role="button" title="Fig 19_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 19_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <P><SPAN>Commit and Push the configuration</SPAN></P> <P> </P> <H3><STRONG>User Traffic Test Through Cloud NGFW</STRONG></H3> <H5> </H5> <H4><STRONG>Validate Testuser1 Traffic</STRONG></H4> <P><SPAN>As per Test topology we have Two users(Testuser1 and Testuser2). You will now be able to define security policies based on users.</SPAN></P> <P><SPAN>Let's try to add a security policy to block Linkedin for Testuser2 and allow for other users. As shown below</SPAN></P> <DIV id="tinyMceEditorrpegada_19" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 20_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60243i423E2E5814F9828A/image-size/large?v=v2&px=999" role="button" title="Fig 20_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 20_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <P><SPAN>Lets now login to Testuser1 and see if he is able to access LinkedIn and other websites</SPAN></P> <P><SPAN>As you can see in the below screenshot, </SPAN><STRONG>Testuser1 </STRONG><SPAN>was able to access LinkedIn and other websites</SPAN></P> <DIV id="tinyMceEditorrpegada_20" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 21_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60244i5BD79A04640C4916/image-size/large?v=v2&px=999" role="button" title="Fig 21_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 21_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <P><SPAN>Validate the same on the Panorama Monitoring page. You can see that the LinkedIn and twitter applications that were accessed by testuser1 was hitting AllowALL rule and allowed</SPAN></P> <DIV id="tinyMceEditorrpegada_21" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 22_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60245i16D1A988D7315E8E/image-size/large?v=v2&px=999" role="button" title="Fig 22_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 22_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P> </P> <H4><STRONG>Validate Testuser2 Traffic</STRONG></H4> <P><SPAN>As per Security policy defined, Testuser2 was blocked from accessing LinkedIn.</SPAN></P> <P><SPAN>Let's now try login to Testuser2 machine and access the websites (LinkedIn and Twitter)</SPAN></P> <P><SPAN>As you can see in the screenshot below, Testuser2 was not able to access Linkedin but was able to access twitter.</SPAN></P> <P> </P> <P><SPAN>Lets see the reason for that on the Panorama monitoring page.</SPAN></P> <DIV id="tinyMceEditorrpegada_22" class="mceNonEditable lia-copypaste-placeholder"> </DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 23_User-ID-CNGFW-Azure_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60246i81C6BC98274BF6CC/image-size/large?v=v2&px=999" role="button" title="Fig 23_User-ID-CNGFW-Azure_palo-alto-networks.png" alt="Fig 23_User-ID-CNGFW-Azure_palo-alto-networks.png" /></span></P> <P><SPAN>This confirms that Cloud NGFW for Azure was able to help with user based policy definition and monitoring.</SPAN></P> <P> </P> <H2><STRONG><FONT color="#FF6600">VIDEO DEMO</FONT></STRONG></H2> <P> </P> <P><STRONG><FONT color="#FF6600"><div class="lia-vid-container video-embed-center"><div id="lia-vid-6354465637112w600h338r363" class="lia-video-brightcove-player-container"><video-js data-video-id="6354465637112" data-account="6058004142001" data-player="default" data-embed="default" class="vjs-fluid" controls="" data-application-id="" style="width: 100%; height: 100%;"></video-js></div><script src="https://players.brightcove.net/6058004142001/default_default/index.min.js"></script><script>(function() { var wrapper = document.getElementById('lia-vid-6354465637112w600h338r363'); var videoEl = wrapper ? wrapper.querySelector('video-js') : null; if (videoEl) { if (window.videojs) { window.videojs(videoEl).ready(function() { this.on('loadedmetadata', function() { this.el().querySelectorAll('.vjs-load-progress div[data-start]').forEach(function(bar) { bar.setAttribute('role', 'presentation'); bar.setAttribute('aria-hidden', 'true'); }); }); }); } }})();</script><a class="video-embed-link" href="https://live.paloaltonetworks.com/t5/video/gallerypage/video-id/6354465637112">(view in My Videos)</a></div></FONT></STRONG></P> </DIV> Fri, 07 Jun 2024 17:59:25 GMT rpegada 2024-06-07T17:59:25Z Guide and Video Demo: User-ID on Cloud NGFW for Azure https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/guide-and-video-demo-user-id-on-cloud-ngfw-for-azure/ta-p/589026 <P><SPAN>In this guide, we will discuss how to enable user-id on Cloud NGFW for Azure and use user-id in policy definition and traffic monitoring.</SPAN></P> <P> </P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Title_User-ID-CNGFW-Azure_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60247i48525908227CED8B/image-size/large?v=v2&px=999" role="button" title="Title_User-ID-CNGFW-Azure_palo-alto-networks.jpg" alt="Title_User-ID-CNGFW-Azure_palo-alto-networks.jpg" /></span></SPAN></P> Fri, 07 Jun 2024 17:59:25 GMT https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/guide-and-video-demo-user-id-on-cloud-ngfw-for-azure/ta-p/589026 rpegada 2024-06-07T17:59:25Z