topic Re: Interrogate External Server for UserID in General Topics

Interrogate External Server for UserID

Stephen_Elliott — Fri, 15 Nov 2019 12:25:20 GMT

Hi,

We have a use case where, upon detection of a session with an unknown userID, we'd like the Palo firewall to interrogate an external service via REST API for the UserID/IP address mapping.

I appreciate the normal way is to prepopulate the Palo or UserID Agent servers with data from external sources, but this is not possible in this case.

Any ideas?

Thanks.

Re: Interrogate External Server for UserID

Mick_Ball — Fri, 15 Nov 2019 14:43:04 GMT

I dont know of any method via cli to add static mappings, this really defeats the object...

so no CLI then no API.

would you not be better off interrogating the ip mapping via ssh or similar and then import this to a server that the user-id agent can itself interrogate or is this also part of the problem..

Re: Interrogate External Server for UserID

Stephen_Elliott — Mon, 25 Nov 2019 09:09:43 GMT

Thanks for your reply MickBall.

I'm not concerned with the CLI especially. I just want the firewall to send a query to an external source for UserID/IP address mapping when a new session from an 'unknown user' is presented.

The external source is not static and will be constantly updating with new UserID/IP address mappings.

Re: Interrogate External Server for UserID

Mick_Ball — Mon, 25 Nov 2019 09:22:46 GMT

NP.

Of course. i understand...

would you not be better off posting a similar request in the automation/API discussions area.

BTW. exactly what server are you looking to interrogate.

Re: Interrogate External Server for UserID

Stephen_Elliott — Mon, 25 Nov 2019 09:31:10 GMT

"would you not be better off posting a similar request in the automation/API discussions area."

- Yes, almost definitely! 🙂

I'll see if an admin can move it for me.

It's a DDI server, used for IPAM/DHCP, that I want to interrogate.

Re: Interrogate External Server for UserID

asilliker — Tue, 26 Nov 2019 21:09:48 GMT

I think you're underestimating the potential query volume this could generate. Even a PA-220 is rated for 4200 CPS.

If your IPAM solution has APIs available to query user -> IP assignment, I'd periodically query the DB and use the User-ID API to create IP-User mappings on the firewall with that information.

Re: Interrogate External Server for UserID

OtakarKlier — Tue, 26 Nov 2019 22:06:13 GMT

Hello,

So when you say external, are you referring to external to the PAN or your environment? Seems that User-ID would be the best option if these sessions are internal.

Perhaps I misunderstood your request?

Regards,

Re: Interrogate External Server for UserID

BPry — Wed, 27 Nov 2019 04:02:49 GMT

@Stephen_Elliott,

The firewall itself directly isn't going to be able to do this, but it is something that could be scripted. You simply need to generate an HTTP call whenever an unknown user is identified in the traffic log that you can grab the source from. The script would need to take that source and query the external service for the user-id information. That information would then need to be fed back to the API so that the firewall can update its user-id database with the user from the external source.