Read "User-ID - Why and How" to learn more about the User-ID feature by Palo Alto Networks. User-ID may be able to help you strengthen your securiy policies and reduce incident response times. Got Questions? Get Answers on Live Community.
Knowing who is using each of the applications on your network and who may have transmitted a threat or is transferring files, can strengthen security policies and reduce incident response times. User-ID enables you to leverage user information stored in a wide range of repositories.
Knowing who your users are instead of just their IP addresses enables:
Visibility – Improved visibility into application usage based on users gives you a more relevant picture of network activity. The power of User-ID becomes evident when you notice a strange or unfamiliar application on your network. Using either ACC or the log viewer, your security team can discern what the application is, who the user is, the bandwidth and session consumption, along with the source and destination of the application traffic, as well as any associated threats.
Policy control – Tying users to security policies improves safe enablement of applications traversing the network and ensures that only those users who have a business need for an application have access. For example, some applications, such as SaaS applications that enable access to Human Resources services (e.g., Workday or Service Now) must be available to any known user on your network. However, for more sensitive applications you can reduce your attack surface by ensuring that only users who need these applications can access them. While IT support personnel may legitimately need access to remote desktop applications, the majority of your users do not.
Logging, reporting, forensics – If a security incident occurs, forensics analysis and reporting based on user information rather than just IP addresses provides a more complete picture of the incident. For instance, you can use the pre-defined User/Group Activity to see a summary of the web activity of individual users or user groups, or the SaaS Application Usage report to see which users are transferring the most data over unsanctioned SaaS applications.
Knowing user's and group's names is only one piece of the puzzle. The firewall also needs to know which IP addresses map to which users so that security rules can be enforced appropriately. Different methods are used to identify users and groups on your network as illustrated below. User Mapping
Defining policy rules based on group membership rather than on individual users simplifies administration because you don’t have to update the rules whenever new users are added to a group. When configuring group mapping, you can limit which groups will be available in policy rules. You can specify groups that already exist in your directory service or define custom groups based on LDAP filters. Defining custom groups can be quicker than creating new groups or changing existing ones on an LDAP server, and it doesn’t require an LDAP administrator to intervene. Group Mapping No need to worry! We have an excellent Getting Started Guide that can help you set up User-ID in no time.
To check out all the details on the User-ID features make sure to check out the following User-ID pages: