topic Re: Apple MAC's and User-ID in General Topics

Apple MAC's and User-ID

UA_MC — Wed, 04 Sep 2013 14:32:34 GMT

We recently implemented a pair of PA-3020 in an Active/Passive cluster.

I have been working on USER-ID, but have an issue. There are about 2500 Apple MAC computers

on site. They are binded to AD , even if an AD user uses logs in to an Apple MAC there are no MS events

in the security logs to forward to the User-ID agent.

Most all of the Apple Mac’s don’t mount to any shared MS AD shares.

My question is what am I missing or how can I get the User-ID to work with Apple MAC’s?

Also it would be great if there were a “local” agent installer for both MAC and Windows clients.

We could install them silently and a managed install. Then let the physical machine report to the Firewall of the current user and IP address.

Any thoughts?

Thanks

Mark

Re: Apple MAC's and User-ID

apasupulati — Wed, 04 Sep 2013 14:54:41 GMT

Hello Mark,

Goodmorning! These are the available options that are available for MAC users to provide their User-ID info to the firewall:

1) Captive Portal (https://live.paloaltonetworks.com/docs/DOC-1159)

2) Install a client that will do AD login

3) Make them connect via SSL VPN and surf through the VPN.

4) User ID API integration using Syslog (https://live.paloaltonetworks.com/docs/DOC-1936) - You would take login events on your OpenDirectory server and syslog these events. Parse through the data and use the API to send this info to the User-ID Agent for ip-mappings.

Additionally, user-id agent can also monitor Exchange server, so if the mac users are able to login to Outlook to create login events, we should be able to get the mapping that way as well. Hope that helps!

Thanks,

Aditi

Re: Apple MAC's and User-ID

UA_MC — Wed, 04 Sep 2013 15:19:28 GMT

Thanks Aditi,

Is there any future feature "request" that would provide a local User-ID agent. I think this would help may Administrators of PAN Firewalls.

thanks,

Mark

Re: Apple MAC's and User-ID

sjamaluddin — Wed, 04 Sep 2013 17:09:05 GMT

You said the Macs were bound to AD:

"They are binded to AD , even if an AD user uses logs in to an Apple MAC there are no MS events in the security logs to forward to the User-ID agent." So, how are the Macs bound to AD? IF the users authenticate to AD there should be a logon event and if not, you may have to enable logging levels to show those logon events through:

https://live.paloaltonetworks.com/docs/DOC-2801

These are then read according to:

https://live.paloaltonetworks.com/docs/DOC-1262

You may also find https://live.paloaltonetworks.com/docs/DOC-5662 helpful.

Thanks

Re: Apple MAC's and User-ID

UA_MC — Thu, 28 Aug 2014 13:19:25 GMT

Update:

Sorry this is so late, this issue was resolved. Prior to me working here the MAC admins were given an AD / OU to Bind the Apple MAC OSX machine to (CN=MAC,DC=xx,DC=xxx).

For some reason if the MAC's are not in the default CN=Computers,DC=xx,DC=xxx OU windows security logs will never populate?

After we move all of the AD objects "Apple MAC's" to the correct OU (CN=Computers,DC=xx,DC=xxx), security event logs started working and populating PAN-User-ID.

I hope this helps.