topic Re: don't understand the user identification difference between pan-agent of the and userid-agent. in General Topics

don't understand the user identification difference between pan-agent of the and userid-agent.

manaschai — Thu, 23 Feb 2012 13:46:31 GMT

I use PAN-OS 4.1.3 for test about user identification. I try to use pan-agent by set LDAP server profile and set mapping group already. Then I can use only user groups of AD (user name in group not show) in security policy but can't see user name in "source user" in traffic log. In case I use UserID-agent, I will use user name from AD in security policy and show user name in traffic log.

Is it correct ?

Re: don't understand the user identification difference between pan-agent of the and userid-agent.

gafrol — Thu, 23 Feb 2012 13:54:59 GMT

Hi there,

yes correct once you install the UserID Agent you can start to use AD usernames in policies and you can see AD usernames in traffic logs.

rgds Roland

Re: don't understand the user identification difference between pan-agent of the and userid-agent.

manaschai — Fri, 24 Feb 2012 00:49:25 GMT

thank you for your reply

Re: don't understand the user identification difference between pan-agent of the and userid-agent.

rmonvon — Fri, 24 Feb 2012 04:32:55 GMT

For PAN-OS 4.1.3, you should use the 4.1.3-2 UserID agent to monitor the DC's for user logins. This will produce the usernames in the traffic log.

When you set the LDAP server, LDAP profile, and the group mapping on the PAN device, this will query the group memberships and make them available to the security rules. There, you can define policies for source user=AD users and./or AD groups.

Thanks,

Re: don't understand the user identification difference between pan-agent of the and userid-agent.

jasbeck — Tue, 13 Mar 2012 17:30:36 GMT

Follow-up question on this:

From the statements above, it seems to indicate that MS AD user names are not populated into the traffic or URL logs if the access control is based on MS AD group memberships?

Is that correct?

Re: don't understand the user identification difference between pan-agent of the and userid-agent.

rmonvon — Tue, 13 Mar 2012 18:09:09 GMT

Once users are identified by the agent, their usernames will be populated in the traffic and URL logs. For those users not identified the log field will be blank. This will be true regardless if AD groups are used or not used in security rules.

Thanks.

Re: don't understand the user identification difference between pan-agent of the and userid-agent.

jasbeck — Tue, 13 Mar 2012 18:13:37 GMT

Is that also true for LDAP being proxied through the user id agent 4.1.3-2? Our environment does not lend itself well to LDAP queries from the PAN device, so instead have to leverage the LDAP proxy option through the user id agents. Does this in essence make the 4.1.3-2 agents function like 3.1's?

Re: don't understand the user identification difference between pan-agent of the and userid-agent.

rmonvon — Wed, 14 Mar 2012 17:03:40 GMT

I apologize as I don't understand your question on the LDAP proxy.

In 3.1, the agent is perfoming both the user identification and group membership lookup.

In 4.1, the agent is doing user identification only. The group membership lookup is done on the PA firewall itself, and this lookup is using LDAP.

Thanks.