How to Configure Agentless User-ID

by nato on ‎01-04-2013 03:34 PM - edited on ‎05-12-2017 08:54 AM by (162,362 Views)

Steps

To configure Agentless User-ID, first create the service account, then modify and verify security settings.

 

Configure the following on the Active Directory (AD) Server and the Palo Alto Networks device:

  1. Create the service account in AD, which is utilized on the device. Be sure the user is part of the following groups:
    - Distributed COM Users
    - Event Log Readers
    - Server Operators
    Note: Domain Admin privileges are not required for the User-ID service account to function properly, see Best Practices for Securing User-ID Deployments for more information.

    In Windows 2003, the service account must be given the “Audit and manage security log” user right through a group policy. Making the account a member of the Domain Administrators group provides rights for all operations. The built-in group named “Event Log Readers” is not available in Windows 2003.
    2016-08-10_08-13-20.jpg

  2. The device uses WMI Authentication and the user must modify the CIMV2 security properties on the AD server that connects to the device.

  3. Run 'wmimgmt.msc' on the command prompt to open the console and select these properties:

    2016-07-13_09-50-02.jpg

  4. From the Security tab on WMI Control Properties:
    1.) Select the CIMV2 folder.
    2.) Click Security,
    3.) Click Add and then select the service account from Step 1.
    4.) In this case, it is userid@pantac.lab
    5.) For this account, check both Allow for Enable Account and Remote Enable:
    6.) Click Apply,
    7.) Then click OK.
    2016-08-09_userid1.png

  5. Back in the Palo Alto WebGUI, Select Device > User Identification > User Mapping, then click the edit sproket in the upper right corner to complete the Palo Alto Networks User-ID Agent Setup.2016-08-09_userid2.png

  6. Be sure to configure with the domain\username format for username under WMI Authentication tab along with valid credentials for that user.

  7. Enable the Server Monitor options and enable the security log/enable session accordingly.
    Client probing is enabled by default, so disable if desired.

  8. If the domain is configured during Setup in the General Settings/Domain field, the user can elect to discover servers with which to connect. If not, manually add a server to the device:2016-07-13_10-02-16.jpg

  9. Confirm connectivity through the WebGUI or the CLI:

    > show user server-monitor statistics 
    
    Directory Servers:  
    Name                           TYPE     Host            Vsys    Status           
    -----------------------------------------------------------------------------   
    pantacad2003.pantac.lab        AD       pantacad2003.pantac.lab vsys1   Connected      

    2016-07-13_10-02-17.jpg

  10. Confirm that ip-user-mapping is working.
    > show user ip-user-mapping all

    IP              Vsys  From    User                            IdleTimeout(s) MaxTimeout(s)
    --------------- ------ ------- -------------------------------- -------------- ----------
    192.168.28.15    vsys1  AD      pantac\tom                      2576          2541
    192.168.29.106   vsys1  AD      pantac\userid                   2660          2624
    192.168.29.110   vsys1  AD      pantac\userid                   2675          2638
    Total: 3 users
  11. Ensure Enable User Identification is enabled on the zones where identifiable traffic will be initiated. Select the zone in Network > Zone.
    2016-08-09_userid3.png

 

See also

User-ID Agent Setup Tips

 

owner: rkalugdan

Comments
by cindyb
on ‎02-26-2013 09:37 AM

I'd love to see this document broken into two docs - one that can be sent out to customers to prepare for POC - the AD user account setup portion without the PAN firewall config portion . . . is this possible?

by panagent
on ‎02-26-2013 10:02 AM

This document is accessible by customers who have a valid support account.  Customers can register for a support account at support.paloaltonetworks.com.  Click on the Register button.

by SDorsey
on ‎07-22-2013 04:13 PM

I think what CindyB is trying to saying is that in many environments, the person staging the A.D. side is different from the person implementing the PAN firewall. So one document for each team would be beneficial to her.

by stcrye
on ‎06-30-2014 12:54 PM

Please make this available as a PDF with the screen shots large enough to read when printed!

Steve

by ksabry
on ‎10-15-2014 01:57 PM

In case you will be using the "Agentless User-ID", then It is absolutely necessary to include the ranges desired to be probed by the Firewall User-ID agent in the Include/Exclude Networks and to exclude the range 0.0.0.0/0 from being probed as per below, otherwise you will see that the Firewall will be trying to probe all network ranges in 0.0.0.0/0

To make sure that your User-ID probing is not trying to probe unwanted IP ranges, open your Monitor and select your User-ID source IP address of your Firewall and select the services ms-wmi or destination port 135 or destination port 389 in your Monitor filter.

USER-ID-Hardening.png

by wkey
on ‎10-16-2014 06:02 AM

Has this been tested on Server 2012 ? I'm getting an access denied error on my PA after going through these steps.

Thanks!

by panos
on ‎10-16-2014 06:08 AM

have you tried with an account from domain admin group (just to test)

by wkey
on ‎10-16-2014 06:18 AM

I have. Previously the account was a Domain Admin and it worked wonderfully. I applied the above changes yesterday, restricting the runner account.

Thanks again!

by wkey
on ‎10-17-2014 07:35 AM

Have you had any luck determining if it works under Server 2012?

by satec.helpsec
on ‎10-20-2014 07:10 AM

Hello,

Works with windows server 2012?

by jhartman
on ‎11-20-2014 04:16 AM

Why do we need the server operator group for this? The Microsoft admins that I'm working with are reluctant to hand out those rights and I cannot really explain why we would need them.

by nato
on ‎11-20-2014 07:02 AM

Users connected to resources on the Domain controller, such as shared folders and printers, have their IP addresses and user names stored in the server session table. The agent is able to read this table and use it to make user to IP mappings. The Agent will require Server Operator privileges to read the session table. In an environment where user drives are hosted on the Domain Controller this can be a very efficient way to match users to their IP addresses.

by nato
on ‎11-20-2014 07:56 AM

Just tested with 2012 and it appears that it is only capable of connecting if the service account is part of the domain admins group. Will need to revisit with Engineering/PM and provide an update accordingly.

2014-11-20 07:54:19.011 -0800 Error:  pan_user_id_win_log_query(pan_user_id_win.c:1326): log query for 2K12 failed: [wmi/wmic.c:200:main()] ERROR: Login to remote object.

2014-11-20 07:54:26.016 -0800 Error:  pan_user_id_win_sess_query(pan_user_id_win.c:1474): session query for 2K12 failed: [wmi/wmic.c:200:main()] ERROR: Login to remote object.

2014-11-20 07:54:31.086 -0800 Error:  pan_user_id_win_log_query(pan_user_id_win.c:1326): log query for 2K12 failed: [wmi/wmic.c:200:main()] ERROR: Login to remote object.

by dodo22mx
on ‎11-24-2014 10:52 AM

Hello

I have a problem filtering by group policy does not apply to groups, only applies to users, but do not take my groups from AD , my AD is a server 2012 the PA is in the 6.1 , any recommendations

Thanks

by jburugupalli
on ‎11-24-2014 11:16 AM

Hello Ed,

Did you configure group mappings settings so that firewall can retrieve user-to-group information from LDAP server

Please refer below link to configure group mappings settings :

How to Configure Group Mapping settings?

Regards,

Jahnavi.

by DaleSmith
on ‎11-30-2014 04:49 PM

One gotcha if you intend on querying other domains in your forest - you need to add the service account into the Builtin\Users group in each additional domain.

by RyanF
on ‎01-10-2015 07:03 PM

Hey nato, did you ever get resolution on this?

In this guide Best Practices for Securing User-ID Deployments it says "User-ID deployments can be hardened by only including the minimum set of permissions necessary for the service to function properly. This includes DCOM Users, Event Log Readers, and Server Operators." and specifically "Domain Admin and Enterprise Admin rights are not required to read security event logs and consequently should not be granted."

I'm interested to know if you're seeing something to the contrary.

Edit: I also found this in the PAN-OS-6.1-Admin-Guide: 

"Windows 2008 or later domain servers—Add the account to the

Event Log Readers group. If you are using the on-device User-ID

agent, the account must also be a member of the Distributed COM

Users Group"

Looks like the Server Operators group comes into play when not using the on-device User-ID agent.

by cchan_gsa
on ‎03-30-2015 03:14 PM

I ran into the same issue with 2012.  I also couldn't get it working with the same "Login to remote object" error and had make the account a domain admin member.  Was anyone able to get it working on a non domain admin account with 2012?

by Charles.Yang
on ‎06-24-2015 10:50 PM

Is there a configuration example for PAN-OS 7 and Window server 2012 environment?

by bparker
on ‎08-15-2015 09:32 PM

Adding some links to other useful Documents related to this.

This defines the minimum security requirements needed as of 2008 r2 and Server Operator is not required. I still need to test 2012.

Agentless User-ID 'access denied' Error in Server Monitor

This is the powershell script for setting WMI permissions across and infrastructure without hitting a bunch of individual servers.

PowerShell Script for setting WMI Permissions for User-ID

by hvaldes
on ‎09-03-2015 01:11 PM

For Server 2012 R2 you need to do the following for agentless user-id monitoring to work.

 

On the specific Windows Servers that need to monitored, open the WMI management console (“wmimgmt.msc”). Select the local WMI Controls properties, and edit the “Security” settings. Navigate to the “CIMV2” section and click “Security”. Add the user group created for the firewall users to the list of authorized users and groups, and enable the “Enable Account” and “Remote Enable” permissions.

 

It's in the link below.  It doesn't mention anything regarding Server 2012 but I tried it and worked for me.  This was NOT needed for Server 2008.

 

https://live.paloaltonetworks.com/t5/Management-Articles/Agentless-User-ID-access-denied-Error-in-Se...

 

by herrmoss
‎11-18-2016 10:39 AM - edited ‎11-18-2016 10:39 AM

After configuring Agentless User ID, because the device is being managed by Panorama, I also had to go add a Master Device for this device, using Panorama/Device Groups, in order to make things to work as expected.

Ask Questions Get Answers Join the Live Community