topic How real-time is User-ID? in General Topics

How real-time is User-ID?

networkadmin — Thu, 06 Dec 2012 15:28:10 GMT

Kind of as per the subject really. I'm interested in using User ID so that only authenticated users have internet access, but I'm not sure quite how "real-time" it is?

Someone comes in and switches on a computer, logs onto the domain, tries to browse the web - will the Palo Alto know so soon that they are now the user logged onto a particular PC?
What happens if multiple users logon to the same PC?
What happens if someone brings in their laptop and they're already logged on, lets's say the laptop's in Standby, but they just wake it up and plug back in to the LAN?

Basically I'm trying to understand the downsides of using User-ID for policy enforcement rather than simply for additional log information.

Our PAN is running 4.1.8 and our User Agent is 3.1.2.

Thanks.

Re: How real-time is User-ID?

gwesson — Thu, 06 Dec 2012 21:04:13 GMT

Hello,

It's pretty much real time. There are some time gaps, but it should not be noticeable by a user.

A user logging into the domain adds an event to the DC. As long as User-ID is reading those security logs, the first time the user goes through the firewall it will check with User-ID. That will have already read the log and have the user's IP mapping cached, so the very first request will already have the user name to IP mapping.
If two or more users are logged into the same computer (like a terminal server), the most recent user will overwrite the mapping for the previous user. For that reason, you should run the Terminal Server Agent on all systems that have multiple users logging in to them. The Terminal Server Agent will dole out source port ranges to each user that logs in, and that mapping will let the firewall know who is generating that request.
Bringing a computer off standby *should* generate a domain controller security event as well. If there is no event, User-ID (at least the 4.1 version, I'm not sure about the 3.1 version) has a couple options: a WMI probe, or a NetBIOS query. If you have those enabled in User-ID, it will try WMI first and NetBIOS as a last-ditch effort. If those are not enabled or fail, the user will be unknown. You can also enable a Captive Portal for devices that do not join the domain.

Hope this helps!

Greg

Re: How real-time is User-ID?

networkadmin — Sat, 08 Dec 2012 13:49:54 GMT

Thanks Greg, Captive Portal as a "last resort" rule if the user is still unknown sounds very workable here.

We're on 4.1.8 and I must admit I'm a little confused from the online help how I'd only display the portal if the User-ID was unknown, and how I'd hook the portal into LDAP/Active Directory for authentication - do you have any link or KB articles please (I'm just going to do a search of Knowledge Point now ).

Thanks.

Re: How real-time is User-ID?

apasupulati — Sun, 09 Dec 2012 02:41:55 GMT

Hello,

You can configure a captive portal policy first, for eg: trust to un-trust, action: captive-portal. If the firewall receives a http request from a IP it doesn't have any user-mapping for, they are basically 'Unknown' and will trigger the portal authentication page. You can configure the authentication profile/mode of Captive portal to use as well, from Device tab--->User-identification-->Captive portal.

Here's a good reference guide,

Hope that helps!

Thanks,

Aditi

Re: How real-time is User-ID?

networkadmin — Mon, 10 Dec 2012 11:36:45 GMT

Thanks Aditi, I've got it working.

So the next question - right now I have a "whitelist" rule as the last rule in my security policy. It essentially says

"If it's from the Lan to Any other Zone, if it's in the "whitelist" URL Filtering profile allow it, otherwise block it".

This is used for a few domains such as antivirus updates, microsoft, etc.

What's the best way to drop a rule in underneath this as the captive portal rule so that the whitelist rule still fires, since it's used by things such as servers that don't have a person sitting there to enter credentials - is source IP in the captive portal the only option here?