Configuration Articles

Featured Article
This document is a 'how to' guide in configuring Captive Portal in a Vwire Deployment. It will provide documentation on implementing either Transparent or Redirect mode with Client Certificate Authentication.   Transparent Mode:   Transparent—The firewall intercepts the browser traffic per the Captive Portal rule and impersonates the original destination URL, issuing an HTTP 401 to invoke authentication. However, because the firewall does not have the real certificate for the destination URL, the browser will display a certificate error to users attempting to access a secure site. Therefore you should only use this mode when absolutely necessary, such as in Layer 2 or virtual wire deployment.   Generate the Captive Portal Server Certificate. In this instance, I'm using the Trusted Root CA also used to sign the intermediate/client certificate. You can certainly create a separate Server Certificate if you wish.       Create the authentication profile to utilize. In this case, LDAP is used to authenticate unknown users.       Enable Captive Portal using Transparent Mode. As noted, we are using the previously created LDAP authentication profile and the Captive Portal Server Certificate.       Configure your Captive Portal Policies: (Note, to trigger CP on SSL enabled websites, SSL Decryption will need to be enabled)     After committing your changes, open up a web-browser on the system (the source IP must be an unknown user otherwise you will not get a captive portal prompt) behind the Vwire Trust zone (Note, make sure this zone is enabled for user identification). My host IP is 192.168.125.111 and it's currently unknown on the PA's ip-user-mapping.   admin@lab-26-PA5050> show user ip-user-mapping all   admin@lab-26-PA5050>     As previously mentioned, when using transparent mode, all browsers will issue a warning indicating that the destination url does not match the common name found in the certificate.       After accepting the exception for the common name mismatch, you will be presented with the Captive Portal Web Form requesting for the credentials to authenticate the user.     Upon completing the web form and entering the correct credentials, users will be redirected to the original requested URL/website.     The session table and IP mapping will appear as follows:   admin@lab-26-PA5050> show user ip-user-mapping all     IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.111 vsys1  CP      rkalugdan                        888            3462 Total: 1 users       admin@lab-26-PA5050> show session id 33570653     Session        33570653             c2s flow:                 source:      192.168.125.111 [vtrust]                 dst:         209.95.138.162                 proto:       6                 sport:       39066           dport:      80                 state:       ACTIVE          type:       FLOW                 src user:    rkalugdan          <==================================== via Captive Portal                 dst user:    unknown             s2c flow:                 source:      209.95.138.162 [vuntrust]                 dst:         192.168.125.111                 proto:       6                 sport:       80              dport:      39066                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    rkalugdan             DP                                   : 1         index(local):                        : 16221         start time                           : Tue Jan 27 08:27:52 2015         timeout                              : 3600 sec         time to live                         : 3593 sec         total byte count(c2s)                : 1381         total byte count(s2c)                : 1006         layer7 packet count(c2s)             : 13         layer7 packet count(s2c)             : 12         vsys                                 : vsys1         application                          : web-browsing         rule                                 : vwire         session to be logged at end          : True         session in session ager              : True         session updated by HA peer           : False         layer7 processing                    : enabled         URL filtering enabled                : True         URL category                         : content-delivery-networks         session via syn-cookies              : False         session terminated on host           : False         session traverses tunnel             : False         captive portal session               : False         ingress interface                    : ethernet1/6         egress interface                     : ethernet1/4         session QoS rule                     : N/A (class 4)         end-reason                           : unknown         Redirect Mode:     Redirect—The firewall intercepts unknown HTTP or HTTPS sessions and redirects them to a Layer 3 interface on the firewall using an HTTP 302 redirect in order to perform authentication. This is the preferred mode because it provides a better end-user experience (no certificate errors). However, it does require additional Layer 3 configuration. Another benefit of the Redirect mode is that it provides for the use of session cookies, which enable the user to continue browsing to authenticated sites without requiring re-mapping each time the time outs expire. This is especially useful for users who roam from one IP address to another (for example, from the corporate LAN to the wireless network) because they will not need to re-authenticate upon IP address change as long as the session stays open. In addition, if you plan to use NTLM authentication, you must use Redirect mode because the browser will only provide credentials to trusted sites.   (To use the captive portal in redirect mode, you must enable response pages on the interface management profile assigned to the Layer 3 interface to which you are redirecting the active portal.)     In this example, I've generated a Trusted Root CA, an intermediate CA which is then signing the client certificate for use in client certificate authentication. For the Trusted CA, which will be used as the Captive Portal Server certificate, I will use 'cpcaroot.pantac2008.com' as the CN and the client cert will have its CN as 'renato.' We will use 'renato' to help identify the users being captive portal'd via the client cert profile.       The 'CA_Root', 'intermediate' certificates are exported  in PEM format from the PA and imported into the host client. This can be done more seamlessly in a production environment via GPO.  In this scenario, I've imported them to the Trusted Root and Intermediate CA stores respectively.             The client certificate signed by the intermediate cert will need to be exported in PKCS12 format as it will require both the private and public keys to make this work. It will then be imported into your Personal Certificate store accordingly.             The same Captive Portal Policies apply as shown below.       Create the Certificate Profile to utilize for Client Certificate Authentication. Insert both the Trusted Root CA and Intermediate CA within the CA Certificates option. Username Field will be 'Subject' defaulting to common-name. You can modify this option to help identify your users. As mentioned, we'll be using the CN 'renato' to help identify the Captive Portal user by choosing Subject in the Username Field.       Enable the Captive Portal and choose 'Redirect' mode. This will enable other fields that require your attention. I'm using the same Trusted Root CA as the server certificate. The CN used was 'cpcaroot.pantac2008.com. This will be the redirect host configured and we then point to the client cert profile previously created.       In this example, I will have to make sure my host machine knows how to reach 'cpcaroot.pantac2008.com' so I have to configure the host file accordingly. This should not be a problem in a production environment if DNS is able to resolve the fqdn defined as your Redirect Host which should also match the CN for your server certificate.     Windows host file output:   # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 192.168.125.2     cpcaroot.pantac2008.com     In Vwire deployment while using redirect mode, we'll need to burn an L3 interface on the PA device to get this functional. The interface is assigned to the L3-Trust zone and has a mgmt profile enabled with at the very least, response pages. Notice the IP address used is 192.168.125.2, which is what my system will be redirected to once Captive Portal is triggered given the use of the CN 'cpcaroot.pantac2008.com' in the Captive Portal Server Certificate.   Also, keep in mind that the redirected host will need to be in the same broadcasts domain as the client so that it will respond to arp requests accordingly. If the Captive Portal redirect interface is outside the of the clients broadcast domain and the traffic needs to traverse the v-wire you will need to create an exception policy to allow the traffic destine to this interface a Captive Portal intervention       Here's the screenshot of the host attempting to open a socket to www.google.com. The browser then submits the client cert to the PA device as we're using client certificate authentication instead of LDAP in this scenario. I subsequently redirect the browser to www.jimmyr.com and I'm now presented the web page and CP has identified me as 'renato' per my client certificate.           Previously seen as unknown for 192.168.125.223:   admin@lab-26-PA5050> show user ip-user-mapping all     IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.223 vsys1  Unknown unknown                          2              5 Total: 1 users     Upon completing the client certificate authentication, the PA now reflects the following:     admin@lab-26-PA5050> show log system direction equal backward 2015/01/27 09:05:58 info     general        general 0  User admin logged in via CLI from 192.168.125.223 2015/01/27 09:05:58 info     general        auth-su 0  User 'admin' authenticated.   From: 192.168.125.223. 2015/01/27 09:05:40 info     general        general 0  Captive Portal authentication succeeded for user: renato on 192.168.125.223, vsys1 2015/01/27 09:05:40 info     general        general 0  Captive Portal client certificate authentication successful from ::ffff:192.168.125.223.         admin@lab-26-PA5050> show user ip-user-mapping all     IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.223 vsys1  CP      renato                           899            3518 192.168.125.111 vsys1  CP      rkalugdan                        261            1037 Total: 2 users             admin@lab-26-PA5050> show session id 33571113     Session        33571113     c2s flow: source:      192.168.125.223 [vtrust] dst:         216.58.216.2 proto:       6 sport:       51049           dport:      80 state:       ACTIVE          type:       FLOW src user:    renato   <====================================================== dst user:    unknown     s2c flow: source:      216.58.216.2 [vuntrust] dst:         192.168.125.223 proto:       6 sport:       80              dport:      51049 state:       ACTIVE          type:       FLOW src user:    unknown dst user:    renato     DP                                   : 1 index(local):                        : 16681 start time                           : Tue Jan 27 09:05:41 2015 timeout                              : 3600 sec time to live                         : 3580 sec total byte count(c2s)                : 3637 total byte count(s2c)                : 9854 layer7 packet count(c2s)             : 10 layer7 packet count(s2c)             : 14 vsys                                 : vsys1 application                          : web-browsing rule                                 : vwire session to be logged at end          : True session in session ager              : True session updated by HA peer           : False layer7 processing                    : enabled URL filtering enabled                : True URL category                         : web-advertisements session via syn-cookies              : False session terminated on host           : False session traverses tunnel             : False captive portal session               : False ingress interface                    : ethernet1/6 egress interface                     : ethernet1/4 session QoS rule                     : N/A (class 4) end-reason                           : unknown       Here's an example of client certificate authentication using an Ubuntu client with Firefox as the browser. I've installed the Root CA and intermediate certificate in the Trusted store for Firefox whereas the client certificate is associated with 'Your Certificates' store.         Here's Firefox presenting the client certificate upon the user's attempt to access www.jimmyr.com           Finally, the original requested website is presented to the user       PA CLI output fo the syslog and ip-user-mapping below:   admin@lab-26-PA5050> show user ip-user-mapping all IP Vsys   From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.111 vsys1  CP renato 893            3561         Total: 1 users dmin@lab-26-PA5050> show log system direction equal backward Time Severity Subtype Object EventID ID Description =============================================================================== 2015/01/27 13:24:07 info general        general 0 Accepted keyboard-interactive/pam for admin fr om 192.168.125.111 port 50672 ssh2 2015/01/27 13:23:45 info general        general 0  User admin logged in via CLI from 192.168.125.1 11 2015/01/27 13:23:44 info general        auth-su 0  User 'admin' authenticated.   From: 192.168.125 .111. 2015/01/27 13:23:11 info general        general 0  Captive Portal authentication succeeded for use r: renato on 192.168.125.111, vsys1 2015/01/27 13:23:11 info general        general 0  Captive Portal client certificate authenticatio n successful from ::ffff:192.168.125.111.   The following is an example from a MacOS client using the Chrome browser. We've copied the same certs using the Keychain Access Certificates and My Certificates folder respectively.           As you can see once again, PA is requesting client certificate authentication and Chrome is presenting said client certificate as expected.             admin@lab-26-PA5050> show user ip-user-mapping all   IP Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.113 vsys1 Unknown unknown 3              6 Total: 1 users   admin@lab-26-PA5050> show user ip-user-mapping all   IP Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.113 vsys1 CP      renato                           899            3585 Total: 1 users     Time Severity Subtype Object EventID ID Description =============================================================================== 2015/01/27 13:00:40 info     general        general 0  WildFire update job succeeded  for user Auto update agent 2015/01/27 13:00:39 info     general        general 0  Wildfire package upgraded from version <unknown version> to 51969-58674 by Auto update agent 2015/01/27 13:00:37 info     general        general 0  Installed wildfire package: panup-all-wildfire-51969-58674.tgz 2015/01/27 13:00:35 info     general        general 0  WildFire version 51969-58674 downloaded by Auto update agent 2015/01/27 13:00:34 info     general        general 0  Connection to Update server:  completed successfully, initiated by 10.46.32.26 2015/01/27 13:00:23 info     general        general 0  Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 10.46.32.26 2015/01/27 13:00:21 info     general        general 0  Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 10.46.32.26 2015/01/27 13:00:20 info     general        general 0  Captive Portal authentication succeeded for user: renato on 192.168.125.113, vsys1 2015/01/27 13:00:20 info     general        general 0  Captive Portal client certificate authentication successful from ::ffff:192.168.125.113.    
View full article
gswcowboy ‎09-14-2018 11:44 AM
41,498 Views
0 Replies
Issue The User-ID Agent contains an ignore-list.txt file with the list of users that need to be ignored and also has NetBios probing enabled. The firewall should not be aware of the users in the ignore-list file and should be redirected to a Captive Portal page for Web authentication.   This occurs when the user logs in to the same host machine twice, first using regular corporate credentials that are not included in the ignore-list.txt file and a second time with one of the usernames included in the ignore-list.txt file, for example ignore-this-user1. When this happens, the User-ID Agent doesn’t update the change by binding the host’s IP to the new username and ignores it, which furthers implies that the association with previous user stays on the firewall.   The newly logged user can pass through the firewall without being redirected to the Captive Portal authentication page.       Cause This occurs when the client doesn’t perform a proper log-off and log-on but instead just switches from one username to another on a Windows host machine. In that case, the windows machine can preserve both users and reply with both usernames to NetBIOS probe. In the example below, we can see the host machine replying with both usernames, one after another, making the User-ID Agent believe that the old user is still logged in and active:   04/24/15 10:46:03:652[Verbo 398]: tid 4288: NetBIOS user enumeration on IP 192.168.178.175: tac-emea\ignore-this-user1   <<<<<<<<<<< new user 04/24/15 10:46:03:652[Verbo 398]: tid 4288: NetBIOS user enumeration on IP 192.168.178.175: tac-emea\ dragoslav <<<<<<<<<<< old user 04/24/15 10:46:03:652[Debug 480]: tid 4288: NetBIOS query found IP 192.168.178.175 with username europe\ dragoslav. 04/24/15 10:46:03:652[Debug 132]: Done probing IP 192.168.178.175, tid 4288, jobID 7895710. 04/24/15 10:46:03:652[Verbo 190]: pool(probing): thread 4288 finished work 7895710
View full article
djoksimovic ‎08-28-2018 10:33 AM
2,651 Views
0 Replies
Before installing User-ID, run through the following checklist: Determine the machine the user-agent will be installed on. Windows XP, Windows 7, Windows 8 or Windows Server 2003/2008/2012. Network connectivity to the DCs and to the management port of the firewall. Be a member of the domain. Determine which user account can be used by the user-agent to query the domain. This account needs the user right to read the security logs on the domain controllers. The domain admins group has this right, but a new group can be created in AD that has this right added to basic user rights. Determine which domain (with corresponding domain controllers) the user-agent will be querying. One user-agent is required for each domain and can handle a maximum of 64000 users in a domain. Steps Installing and Configuring the User-ID Agent Select a PC in the domain to install the user-agent software. Download and install the latest version of user-agent from https://support.paloaltonetworks.com Configure the user-agent server to run under a different account than the local system, which is selected by default.  This user account must have access to read security logs and netbios probing of other machines.  To get to the service: admin tools > service > pan agent > log on > switch from local user to this account, then select the user that will be used for this service. Restart PAN agent service. Start user-agent GUI, Start > Programs > Palo Alto Networks > User Identification Agent in the top right corner, then click Configure. Fill in the following information: Domain name - FQDN of the domain, for example, acme.com. Port number of your choosing - any port number not currently used on this machine. Make sure the local machine does not have any firewall that is blocking inbound connections to that port. Domain controllers ip address - add all the DCs in the domain. Users can be authenticated with any DC in the domain, so you can enter up to 10 IP addresses. Allow list - subnets that contain users to track. Ignore list - IP address of the terminal server, any other machines that could potentially have multiple users logged in simultaneously. If netbios is not allowed on the network, disable netbios probing.  For more accurate IP to user mapping support, disable netbios probing. Click OK. You can monitor the agent status window in the top left corner, which should display no errors. Other messages: Connection failed. Please start the PAN agent service first. Reading domain name\enterprise admins membership. No errors. To confirm that the server running the user-agent is listening on the port configured in Step 8, run the following command on the PC: netstat -an | find "xxxx" Configuring the firewall to communicate with the User-ID Agent Log into the Palo Alto Networks firewall and go to Device > User Identification. Configure Name, Host (IP address) and Port of the User-ID Agent. Enable user identification on each zone to be monitored.  On the Network > Zone page, edit the appropriate zones. In the bottom left corner of the Zone properties page, check the box to Enable user identification. Commit the changes. To confirm connectivity, run this command via CLI of APN firewall: show pan-agent statistics   which should return state connected, ok. To view currently logged in users, run: debug dataplane show user all   Testing To make sure everything is working, create a new security rule.  You should be able to select users or groups.   owner: jnguyen
View full article
jnguyen ‎06-28-2018 05:41 AM
84,998 Views
12 Replies
User-ID Agent requirements: Must be running Windows 2008 or 2003 Server that is a member of the domain in question. Although User-ID Agent can be run directly on the AD server, it is not recommended. The service must be running as a domain account that has local administrator permissions on the User-ID Agent server. The service account must have permission to read the security log. In Windows 2008 and later domains, there is a built-in group, “Event Log Readers,” that provides sufficient rights for the agent. In earlier versions of Windows, the account must be given the “Audit and manage security log” user right through a group policy. Making the account a member of the Domain Administrators group provides rights for all operations. If using WMI probes, the service account must have the rights to read the CIMV2 name space on the client workstation. The User-ID agent account needs to be added to the "Remote Desktop Users". Domain admin has this by default. If using only one User-ID Agent, make sure it includes all domain controllers in the discover list. The domain controller (DC) must log “successful login” information.   The User-ID Agent monitors the domain controllers for the following events: Windows 2003 672 (Authentication Ticket Granted, which occurs on the logon moment), 673 (Service Ticket Granted) 674 (Ticket Granted Renewed which may happen several times during the logon session) Windows 2008 4768 (Authentication Ticket Granted) 4769 (Service Ticket Granted) 4770 (Ticket Granted Renewed) 4624 (Logon Success) For account logon, the DC records event ID 672 as the first logon for authentication ticket request. No relevant account log-off event is recorded. If NetBIOS probing is enabled, any connections to a file or print service on the Monitored Server list is also read by the agent. These connections provide updated user-to-IP mapping information to the agent. In all cases, the newer event for user mapping overwrites older events. If WMI probing is enabled, make sure the probing interval is set to a reasonable value for the amount of workstations it may need to query. For example, if there are 5,000 hosts to probe, do not set a probing interval of 10 minutes.  Both settings are under User Identification > Setup > Client Probing on the User-ID agent :   In some cases the WMI probe will fail because the workstation may be running a local firewall or it may not be a member of the domain. If this happens, the mapping can be deleted once the cache timeout is exceeded, even though the workstation is up and passing traffic. To test, run the following command from the User-ID agent. wmic /node:workstationIPaddress computersystem get username It should return the user currently logged in to that computer. Windows firewalls can be set using these commands locally on the workstation or server if remotely configurin the firewall is not possible: For Windows XP/Windows Server 2003:  netsh firewall set service RemoteAdmin enable For Windows Vista/Windows Server 2008 (note that command line should be executed in the elevated command prompt):  netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes If you are not confident the workstations will respond to WMI probes, set the user ID cache timeout to a higher value since the mapping will be dependent upon the users login events. In this case, if the cache timeout is exceeded after the initial login event, the mapping will be deleted even though the user is still logged in. This setting is under User Identification > Setup > Cache on the User ID agent:   Confirm that all the domain controllers are in the list of servers to monitor.  If not, not all the User-to-IP mappings may be included since any domain controller can potentially authenticate the users. Confirm the Domain Controller list is accurate by running the following command from a domain controller: dsquery server –o rdn (which prints a list of your DCs). Remove any DCs that no longer exist. Confirm that user ID is enabled on the zone in where the traffic is sourced. This setting is under Network > Zones:   Helpful commands on the firewall Status of the Agent and connection statistics show user user-id-agent state all Display IP mappings show user ip-user-mapping all Display a single IP mapping with details including group info show user ip-user-mapping ip IPaddress Display the groups being parsed on the firewall show user group list Display the members of a group according to the firewall show user group name “group name” (this will be the DN) Delete a group mapping and rebuild it debug user-id clear group “group name” debug user-id refresh group-mapping all   See Also Getting Started: User-ID How to Configure Agentless User-ID   owner: jteetsel
View full article
PANW1337 ‎06-28-2018 05:36 AM
99,160 Views
13 Replies
3 Likes
Steps Click Device. Under Server Profiles, click on LDAP. Click Add to bring up the LDAP Server Profile dialog. Enter Server name, IP Address and port (389 LDAP). Select LDAP server type from drop down menu. Enter the Base Distinguished Name for the domain. Enter the Bind DN and Bind Password for the service account. Uncheck SSL checkbox (SSL can be used if the Domain Controller will listen for LDAP SSL on port 636).   Commit changes.   owner: bnelson
View full article
bnelson ‎06-26-2018 03:19 AM
42,308 Views
4 Replies
Details   The Palo Alto Networks LDAP Proxy feature sources LDAP traffic destined for the firewall's configured LDAP server addresses (Windows Active Directory, eDirectory, LDAP) from a User-ID agent installed on a Windows server. Without LDAP proxy, this traffic is sourced directly from the management interface or configured service route.   When LDAP proxy is enabled, the firewall communicates with the User-ID agent via the standard SSL connection between the User-ID agent and the Palo Alto Networks firewall. The agent then performs the LDAP queries requested by the firewall and sends the replies back to the firewall.   With PAN-OS 4.1 and later, all the configuration for this feature is on the firewall, if connecting to a Windows domain controller.  Configure both an LDAP server profile and group mapping profile just as if the firewall will be sourcing the LDAP traffic. After creating those profiles, check Use as LDAP Proxy and commit.     After a commit, all LDAP traffic normally sourced from the firewall will be sourced from the configured User-ID agent.   owner: dbraswell
View full article
DavePATS ‎04-11-2018 06:55 AM
10,443 Views
0 Replies
Overview Before installing the Terminal Server (TS) Agent, make sure that the following requirements are met : Verify the requirements in the Release Notes of the version of Terminal Server (TS) Agent to be installed. The administrator on the terminal server needs to install the TS Agent. The TS Agent should be configured to be started only by the administrator in order to prevent other remote logon users from controlling it. For the TS Agent to successfully install the necessary driver. Note that the installer must have administrator rights. The Windows firewall on the machine where TS Agent is installed needs to be disabled.   Steps Installation The install will first check to see if the TS Agent is compatible with the operating system it is being installed on. If the operating system is not compatible, it will pop up with the error message similar to the following: The TS agent installer will request a destination folder for the install. For a new installation the administrator does not need to reboot the system; however, without reboot, the TS Agent can only identify the new outbound TCP/UDP traffic. For the TCP/UDP traffic occurring before the installation, the Palo Alto Networks TS Agent can not identify the users. Configuration of the TS Agent on Terminal Server Main Panel The TS Agent Controller is the application used on the Terminal Server for configuration and verification of agent status. The main panel will show Connection List which displays each PAN device connected to the TS agent as well as the device access control list.By default Device Access Control list is disabled. Enable this option if you want to specify which PAN device the TS Agent will listen to. The TS agent will ONLY accept incoming connections from the devices in the allow list. Configure Panel Listening Port: The port that the TS Agent communicates on the Palo Alto Networks device with. Source port allocation range: Range of source ports users will be able to pull from. Reserved Source Ports: Ports that need to be excepted from the source port range because another service running on the Terminal Server needs it to communicate with. Port Allocation Start Size Per User: Minimum port allocation for new user port lease. Port allocation Maximum Size Per User: Maximum port allocation for user port lease. Fail port binding when available ports are used up: Prevents over lapping port allocations. Monitor Panel The monitor operation from the navigation window displays all of the current users and port allocations. The “Ports Count” show the current used ports for the user. The Ports Count can be refreshed by clicking the “Refresh Ports Count”. You can also manually set a refresh internal by selecting the check box “Refresh Interval”. Configure of the TS Agent on Palo Alto Networks Device The Palo Alto Networks device needs to be configured with the following information: IP Address: IP address of the server where TS Agent installed on. Port: TS Agent listening port which should match what is configured on TS Server. IP List (optional): Terminal server source IP list if the terminal server has multiple source IPs, max of 8 IPs. Commit the changes on the firewall Troubleshooting Hints The TS Agent maintains a log file which is very useful for troubleshooting. In case there is an issue with the TS Agent, these logs should be collected and sent to the TAC Support Team. The log file can be viewed on the TS Agent using File > Show Logs. To enable detailed information on the User-ID Agent operation, go to File > Debug and select Verbose.  The logs will now display more detailed messages.   Useful CLI commands Configure terminal server agent: # set ts-agent <name> <options> where <options> include  ip-address   terminal server agent ip address port         terminal server agent listening port ip-list      terminal server alternative ip list   Show terminal server agent status: > show user ts-agent statistics IP Address Port Vsys State Users ------------------------------------------------------------- 10.1.200.1  5009 vsys1 connected 8 10.16.3.249 5009 vsys1 connected 10   > show user ip-port-user-mapping all User IP-Address Vsys Port-Range ---------------------------------------------------------------------------- test1 10.1.200.1  vsys1 20000-20500 test2 10.1.200.1  vsys1 20500-21000                         21500-22000 test3 10.1.200.1  vsys1 21000-21500 TS Agent may need to lookup a Palo Alto Networks User-ID agent or group mapping data to get the group information for a specific domain user.   Other CLI commands The User-ID Agent's “enable-user-identification” and “User Identification ACL” configuration command also apply to TS Agent. This means that if user-identification feature is enabled, both User-ID Agent and TS Agent feature will be enabled.   owner: panagent
View full article
nrice ‎04-11-2018 06:53 AM
39,496 Views
12 Replies
3 Likes
Overview The Palo Alto Networks firewall can retrieve user-to-group mapping information from an LDAP server, such as, Active Directory or eDirectory. The data can be retrieved through LDAP queries from the firewall (via agent-less User-ID, introduced in PAN-OS 5.0) or by a User-ID Agent that is configured to proxy the firewall LDAP queries. This document describes how to configure Group Mapping on a Palo Alto Networks firewall.   Steps Configure the LDAP server profile:How to Configure LDAP Server Profile Configure how groups and users are retrieved from the LDAP directory by creating a new group mapping entry by navigating to the Device > User Identification > Group Mapping Settings tab and click 'Add'. Refer to screenshot below. Enter a Name. For Palo Alto Networks that support multiple virtual system, a drop-down list (Location) will be available to select from. Specify the LDAP server profile (configured in step 1) in the drop-down list under the Server Profile tab. Note: All Attributes and ObjectClasses will be populated based on the directory server type you selected in the “LDAP Server Profile”. The default update interval for user groups changes is 3600 seconds (1 hour). Enter a value to specify a custom interval. Go to the Group Include List tab. Leave the include list blank if you want to include ALL groups, or select the groups to be included from the left column that should be mapped.   CLI commands to check the groups retrieved and connection to the LDAP server: > show user group-mapping state all > show user group list > show user group name <group name>   owner: apasupulati
View full article
apasupulati ‎01-22-2018 01:47 AM
76,924 Views
12 Replies
Overview PAN-OS 6.0 introduced the ability to use the Palo Alto Networks firewall and the User-ID Agent as a syslog listener for collecting syslogs from different systems in the network, and to map users to IP addresses. The user to IP mappings could be used in security rules and policies. The version of PAN-OS on the firewall and the version of the User-ID Agent should be at least 6.0. Note: The version of PAN-OS on the firewall should be the same or higher than the version of User-ID Agent, but preferably the same.   This document describes how to configure a custom syslog sender on the User-ID Agent installed on a Windows server. For a similar configuration on the Palo Alto Networks firewall, see: How to Configure a Custom Syslog Sender and Test User Mappings.   While the firewall has the ability to use predefine filters as a syslog sender on the User-ID agent, the administrator needs to create filters depending on the logs generated by the network system. As a prerequisite to this configuration, it is assumed that the User-ID Agent is connected to the firewall and the user-ip-mappings have been sent to the connected Palo Alto Networks devices.   Additional requirements: Knowledge of the syslog sender logs Knowledge of the IP address of the sender Knowledge of available ports on the server that can be used for accepting the logs Knowledge of the domain on which the users are connecting and if using a “domain\” notation when logging in Decision between using a Field Identifier or a Regex Identifier   Steps Analysis of the logs: Take a section of the log and try to find the needed fields for user-ip mapping. These fields need to include; the username, the IP address, the delimiters and the 'Event String'. The event string will tell the firewall that a specific user is successfully logged in and that it needs to collect the username and the IP address, and add them in the user-ip-mappings database.   The following syslog example shows a log from an Aruba wireless controller: 2013-03-20 12:56:53 local4.notice Aruba-Local3 authmgr[1568]: <522008> <NOTI> <Aruba-Local3 10.200.10.10>  User Authentication Successful: username=ilija MAC=78:f5:fd:dd:ff:90 IP=10.200.27.67 2013-03-20 12:56:53 local4.notice Aruba-Local3 authmgr[1568]: <522008> <NOTI> <Aruba-Local3 10.200.10.10>  User Authentication Successful: username=jovan MAC=78:f5:fd:dd:ff:90 IP=10.200.27.68 role=MUST-STAFF_UR VLAN=472 AP=00:1a:1e:c5:13:c0 SSID=MUST-DOT1X AAA profile=MUST-DOT1X_AAAP auth method=802.1x auth server=STAFF 2013-03-20 12:56:57 local4.notice Aruba-Local3 authmgr[1568]: <522008> <NOTI> <Aruba-Local3 10.200.10.10>  User Authentication Successful: username=1209853ab111018 MAC=c0:9f:42:b4:c5:78 IP=10.200.36.176 role=Guest VLAN=436 AP=00:1a:1e:c5:13:ee SSID=Guest AAA profile=Guest auth method=Web auth server=Guest 2013-03-20 12:57:13 local4.notice Aruba-Local3 authmgr[1568]: <522008> <NOTI> <Aruba-Local3 10.200.10.10>  User Authentication Successful: username=1109853ab111008 MAC=00:88:65:c4:13:55 IP=10.200.40.201 role=Guest VLAN=440 AP=00:1a:1e:c5:ed:11 SSID=Guest AAA profile=Guest auth method=Web auth server=Guest   From the analysis of the above log sample (a syslog output), the parsing can be handled using Filed Identifiers. As a Event String search for the 'User Authentication Successful' string As a username prefix use: 'username=' As a username delimiter: 'empty space' As an address prefix: 'IP=' As an address delimiter: 'empty space'   NOTE: 'Empty space' means using the space button on the keyboard.   Configuration: Define the Syslog Parser Profile, which will be used for the Syslog events that are sent to the firewalls listener. On the User-ID Agent go under: Setup > Edit > Syslog Select the port to listen for new syslog messages Add a new Syslog Parser Profile Add appropriate Profile Name and Description (if needed) Select the appropriate Type of parser (the Field Identifier is configured in this example) Enter the details as determent from the analysis done before Do not forget to enable the Syslog Service The fully configured syslog filter should look like this: Configure the server in the list of monitored servers: Go to User ID > Discovery, and add a new server Enter the Name the IP address and choose the syslog sender as a Server Type Add a Filter select, the filter that was defined in the previous step Add a Default Domain Name if needed, (if this is added, the domain field be prepended to all of the users that are discovered using this server connection) Commit the changes to the User-ID Agent Confirm that the server is listening on the defined port (use the 'netstat' command in the cmd on the server) Check if receiving the logs from the server sender and generating the mapping on the User-ID Agent On the firewall, check to see if receiving the mappings from the User-ID Agent. These mappings will be User-ID Agent type, because they were collected from the User-ID Agent and given to the firewall. owner: ialeksov
View full article
ialeksov ‎12-20-2017 02:59 AM
31,707 Views
5 Replies
2 Likes
Overview This document describes the two primary functions of User-ID: Enumeration of users and their associated group membership Mapping those users to their current IP addresses   Configuration tips and best practices are also provided in the document.   Note:  A “User Group Policy Update Interval” setting in group policies is configurable by the domain administrator. The default value is 90 minutes +/- 30 minutes, so the default value statement is correct.   See Also Architecting User Identification Deployments Installation and Provisioning of the User Agent
View full article
npiagentini ‎12-20-2017 12:44 AM
58,272 Views
2 Replies
4 Likes
"Result: 'FAIL'  Message: 'Bad request timestamp".
View full article
mgarg ‎12-18-2017 01:03 PM
2,297 Views
0 Replies
Up to PAN-OS 6.1, for later OS versions, see this article   Overview This document describes how to correctly configure group-mapping to avoid inconsistencies in username format for cross-domain users in a multi-domain Active Directory Domain Services (AD DS) forest. If fetching all objects (user or groups) from any other domain in the forest, use AD server defined as Global Catalog in group-mapping. The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain members of the forest.   Important! If not configured properly, there can be issues where some users in group-mapping are formatted as fqdn-domain-name/username (dummy.example.com/username) instead of netbios/domain-name (dummydomain/username), leading to inconsistencies with ip-user-mapping fetched from User-ID Agent or by the agentless User-ID service.   Steps AD server configured as Global Catalog role (usually the root domain) needs to be configured under LDAP server profiles. Connect to this server on port 3268 (or 3269 for SSL). As usual, configure the Domain field to have PAN-OS replace the domain name. Leave it blank otherwise. Note: Be aware that doing this on Global Catalog will replace domain name for ALL users and groups fetched from this server, including those from other domains (members of the forest). Only add a domain name into this field if keeping it blank causes problems. For example, if the domain is "acme.local" but "acme" is needed, then enter "acme" in the Domain field. Use this profile to configure the Group-Mapping (and configured included list if needed) If the Domain Name was not configured manually in step 2, it is mandatory to configure an additional group-mapping using another LDAP server profile, querying the same AD server on regular port 389 (or 636 for SSL). This operation is mandatory to correctly populate domain-map used to normalize user format as netbios_domain_name/username This profile will only be using to fetch domain-map; configuring Domain field is not necessary and may be left blank. The AD server used here can be another Domain Controller of your forest and the partition container we query for domain-map is replicated through all Domain Controllers. Please see the note on Step 2. If Active Directory contains a large number of users and groups, you are advised to configure some search filters for users and groups in the GM-AD setting. This is to mitigate the impact of LDAP query results on the Management-Plane resources for this Group-Mapping. As this Group-Mapping is only used to determine the domain-map, getting and handling the results for users and group is not necessary.   In this example, search filters are configured with a 'Dummy' string that must be contained in the description field of users and groups to guarantee LDAP query results in 0.   See Also: LDAP Group Mappings in a Mixed 6.x and 7.x Environment with Panorama     owner: nbilly
View full article
nbilly ‎12-01-2017 03:23 AM
43,342 Views
12 Replies
5 Likes
Symptoms Captive portal will not work if an Authentication Sequence is referenced as the Authentication Profile in an Authentication Enforcement object, as shown below:    Diagnosis Authentication Enforcement objects do not support Authentication Sequence. Only Authentication Profiles with additional factors can be used.  If an auth-sequence is added to the Auth Enforcement object it is treated as no-captive-portal behaviour. Solution Authentication sequence CAN be used if a default web-form Authentication Enforcement object is used in an Authentication policy and if the Authentication sequence is referenced in Captive Portal Settings under Device -> User Identification, as seen below:  
View full article
nkajgana ‎11-07-2017 12:49 AM
2,508 Views
1 Reply
1 Like
Steps To configure Agentless User-ID, first create the service account, then modify and verify security settings.   Configure the following on the Active Directory (AD) Server and the Palo Alto Networks device: Create the service account in AD, which is utilized on the device. Be sure the user is part of the following groups: - Distributed COM Users - Event Log Readers - Server Operators Note: Domain Admin privileges are not required for the User-ID service account to function properly, see Best Practices for Securing User-ID Deployments for more information. In Windows 2003, the service account must be given the “Audit and manage security log” user right through a group policy. Making the account a member of the Domain Administrators group provides rights for all operations. The built-in group named “Event Log Readers” is not available in Windows 2003. The device uses WMI Authentication and the user must modify the CIMV2 security properties on the AD server that connects to the device. Run 'wmimgmt.msc' on the command prompt to open the console and select these properties: From the Security tab on WMI Control Properties: 1.) Select the CIMV2 folder. 2.) Click Security, 3.) Click Add and then select the service account from Step 1. 4.) In this case, it is userid@pantac.lab.  5.) For this account, check both Allow for Enable Account and Remote Enable: 6.) Click Apply, 7.) Then click OK. Back in the Palo Alto WebGUI, Select Device > User Identification > User Mapping, then click the edit sproket in the upper right corner to complete the Palo Alto Networks User-ID Agent Setup. Be sure to configure with the domain\username format for username under WMI Authentication tab along with valid credentials for that user. Enable the Server Monitor options and enable the security log/enable session accordingly. Client probing is enabled by default, so disable if desired. If the domain is configured during Setup in the General Settings/Domain field, the user can elect to discover servers with which to connect. If not, manually add a server to the device: Confirm connectivity through the WebGUI or the CLI: > show user server-monitor statistics Directory Servers: Name TYPE Host Vsys Status ----------------------------------------------------------------------------- pantacad2003.pantac.lab AD pantacad2003.pantac.lab vsys1 Connected Confirm that ip-user-mapping is working. > show user ip-user-mapping all IP              Vsys  From    User                            IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ---------- 192.168.28.15    vsys1  AD      pantac\tom                      2576          2541 192.168.29.106   vsys1  AD      pantac\userid                   2660          2624 192.168.29.110   vsys1  AD      pantac\userid                   2675          2638 Total: 3 users Ensure Enable User Identification is enabled on the zones where identifiable traffic will be initiated. Select the zone in Network > Zone.   See also User-ID Agent Setup Tips   owner: rkalugdan
View full article
gswcowboy ‎05-12-2017 08:54 AM
243,304 Views
34 Replies
10 Likes
Pre-requisites  You should have a working knowledge of:   Active Directory   User-id feature on the Palo Alto Networks firewall   Components Used The information in this document is based on these software and hardware versions:   Palo Alto Networks VM firewall running PANOS 7.1   Active Directory Services running on Microsoft 2012 r2 server, configured as a Domain controller   The information in this document was created from the devices in a specific lab environment. If your network is live, make sure that you understand the potential impact of any command.   Background  Palo Alto Networks firewall uses the domain map to store the fully qualified active directory domain name (fqdn) and its equivalent netbios domain (netbios name). It's used to normalize or convert the username and groupnames from FQDN to their corresponding netbios domain name format. For example, consider the domain 'paloaltonetworks.com' as the fqdn, then its equivalent netbios domain name is 'paloaltonetworks'   In an active directory environment a user which is a member of this domain will have its username as paloaltonetworks\username.   Details  Let us take a deeper look as to how the firewall retrievesthe netbios domain name from active directory domain controllers, populate the domain map and then use it for conversion of fqdn to netbios name.   For the sake of simplicity and ease of illustration we'll break the work flow into three phases.     PHASE 1   Retrieving the netbios domain name    Firewall sends the request for the netbiosname domain name while sending the LDAP partition query during LDAP refresh , populates it’s domain map and writes this entry into the dnsnetbios.map file   Fetched through 389/636 LDAP connection (not Global Catalog one's - 3268 or 3269) All Domain Controllers should have this info    Location: LDAP://CN=Partitions,CN=Configuration,DC=<DomainName>, DC=<local|com> ADSI Edit: Connect to "Configurations“ (ADSI - Active Directory Service Interfaces)       Here's the LDAP partition query response from the active directory domain controller to the firewall showing the :   Target of the query - CN=Partitions,CN=Configuration,DC=test,DC=kunaldc,DC=com  FQDN - 'test.kunaldc.com' Netbios domain name - 'test'        PHASE 2    Storing the netbios domain name    The ‘dnsnetbios.map’  file which contains the fqdn and it's netbios domain name is stored internally in the linux based directory structure on the firewall   You can view the domain-map from the command line of the firewall using 'debug user-id dump domain-map'     The domain map persists a device reload, even when you’ve deleted the group mapping profile for a respective domain   Along with this any netbios domain name once learnt on the firewall continues to persist unless explicitly removed via the cli command ‘debug user-id clear domain-map’     PHASE 3   Apply the netbios domain name to user groups and members of these groups    The objective of the netbios name is to    1.   Convert 'fqdn\username' formats to netbios domain name i.e. 'netbios\username' format    Eg: Username test is a member of the active directory domain 'test.kunaldc.com'           It's fqdn name format is 'test.kunaldc.com\testuser'    Once the firewall learns about the netbios name of the active directory domain then it will convert all the fqdn username format to netbios name formats        Hence the fqdn username format of 'test.kunaldc.com\testuser'  is converted to 'test\testuser'     2.   Normalize the groups from full dn to short name format In absence of the domain maps all AD groups are recognized in their full domain name format   A group named sme_group  whose full dn name format is 'cn=sme_group, ou=tier2,ou=networking,ou=apac,ou=tac2,dc=test,dc=kunaldc.com,dc=com'  is converted into  'test\sme_group' Simialrly, the user which is a member of sme_group and the active directory domain 'test.kunaldc.com' is also transformed from 'test.kunaldc.com\testuser' to 'test\testuser'         NOTE   1.  PAN firewall applies the normalization on the users retrieved from ip-user mapping mechanisms (using methods such as - userid agent, agentless, syslog,xmlapi etc) as well as the users retrieved from active directory domain controllers using LDAP    2.  Domain map is not synchronized between the active and passive firewalls in an Active-Passive HA setup The passive device must at some point serve as an active device in the HA in order to connect to the active directory server to fetch the netbios domain name via the ldap partition query 
View full article
kbiswas ‎05-08-2017 05:11 AM
20,420 Views
1 Reply
5 Likes
Starting from PAN-OS 8.0, we have an option to have a secure communication, with the help of certificates, between the firewall and the User-ID Agent. NOTE: This requires the firewall to be on PAN-OS 8.0 (or later) as well as the User-ID agent to be on 8.0 (or later).   In this process, the UIA (User-ID Agent) will present a certificate to the firewall to validate. The firewall will check this certificate as per the certification profile configured. If it passes all the checks in the certificate profile, the firewall will accept the connection from the UIA. This can ensure safety against "rogue" UIAs.     Here's a step-by-setup walkthrough to configure this:   1. Launch the UIA, you should see a new option called 'Server Certificate':   2. We need to create a new CSR for the UIA and get it signed by either an external CA, in-house CA or a self-signed certificate present in the firewall. (Note: We will need the CA certificate to be present on the firewall so we can use it in the Certificate profile and validate the UIA's certificate).   3. Once we have a certificate, we can import it in the UIA along with its private key. Make sure to commit the configuration.    4. Create a new certificate profile and use the CA used to sign the UIA's CSR.   5. You should see a new tab under Device >User Identification, called 'Connection Security':   6. Choose the certificate profile created in step 4.   7. If the commit goes well, you should see the UIA connected successfully with the firewall.     Failure Scenario   If an incorrect or no certificate is present on the UIA while Connection Security is enabled on the firewall, you will see the following log entry in the System (and userid) logs: For the same failure, on the agent, you would see the following logs (under Monitoring->Logs):   Hope this helped. Stay safe!
View full article
ansharma ‎03-13-2017 05:02 AM
5,145 Views
1 Reply
This article outlines the steps required to install the UserID Agent and account permissions required for it to function properly. If not all access is granted, you may encounter the following error: "Start service failed with error 1069: The service did not start due to a logon failure."   In this article the example service account is 'kumar@panrootdc.local'.         Step 1. Make sure the account  you are using in the User-id agent is part of 'Event log reader' and 'server operator.' In this example "kumar@panrootdc.local" should be part of "server operator", "event log reader"       Step 2. Account should be to log on as a service. Open Administrative Tools, then open Local Security Policy.     Go to Local Policies > User Rights Assigment. Find Log on as a service. Double click and add the account to Local Security setting.         Step 3: Open cmd in Administrator mode and perform a 'gpupdate'. Otherwise, it will take time for the changes to take effect.     Step 4. The account should have permission to the folder where the User ID agent is installed. To give permission, go to the folder where User-ID agent is installed and grant the required permission:         Step 5. The account should have permission to registry: Locate the Palo Alto Networks folder  in   Computer\HKEY_LOCAL_MACHINE\Software\Palo Alto Networks   OR   Computer\HKEY_LOCAL_MACHINE\Software\WOW6432Node\Palo Alto Networks       Step 6. Give proper permission to the account for WMI CIMv2: In 'run' type 'wmimgmt.msc' and hit enter.    
View full article
pankaku ‎01-10-2017 08:02 AM
11,472 Views
1 Reply
7 Likes
If you ever need to have a User-ID agent setting on multiple machines with the same config, please read these instructions about how to perform this.   Instead of configuring the User-ID (UID) agent on each machine, you can copy the configuration file from one machine and paste it into the other machines. Doing so will configure the User ID agent on the second machine within seconds.   Note: Please be sure to use the same account to run the agent on the server. Please see the 'getting started' article at the bottom of this article.   Steps Stop the User-ID agent on the first server. Navigate to the below hierarchy, on the first server: C:\Program Files (x86)\Palo Alto Networks\User-ID Agent Screenshot showing the User-ID config file location Copy the "UserIDAgentConfig.xml" file from the first server. Please remember to start the User-ID agent again on the first server after copying the file.  On a second server with the User-ID agent installed, stop the User-ID Agent, and copy the config file into the same location as the first server. And again, Please remember to start the User-ID agent after copying the config file.   This method will be the quickest way to have redundant User-ID agents.   See also Getting Started: User-ID
View full article
schopra ‎01-04-2017 02:32 PM
2,573 Views
0 Replies
1 Like
Overview Palo Alto Networks recommends using an LDAP browser to find the proper LDAP information.   Finding the Proper Bind Information To find the Bind DN, run the following command with the example username of test1 from the command line of the AD server: dsquery user -name test1 should receive the Bind DN "CN=test1, OU=outest2, OU=outest, DC=pantac2, DC=org"   Or use an LDAP browser to find the Bind DN:   The Base DN is where the PAN will start searching in the directory structure. The Bind DN is the username that will be used to do the searching and request the authentication.   Note: In Active Directory, a blank folder icon represent Containers (CN) while folders with icons are Organizational Units (OU).   For example, if the admin account is in the user's container, the Bind DN information is cn=admin,cn=users,dc=pantac2,dc=org   In the following example, the test1 account is in the OUtest2 Organizational Unit (OU), and OUtest2 is in OUtest.   Configuring LDAP Device > Server Profile> LDAP For the above example, active directory is used and no SSL encryption is configured. the port field can be left empty for the default ports to be used: TCP port 389 is the standard port for unencrypted LDAP, port 636 is used when Require SSL/TLS secured connection is selected.     LDAP information Type: active-directory If the server list has been populated and the servers are reachable by the management interface, the Base DN will auto populate when you click the drop-down arrow Base DN: DC=paloalto, DC=com Bind DN supports ldap, UPN and down-level   ldap-auth@paloalto.com CN=ldap-auth, OU=Users, DC=paloalto, DC=com   Configure Your Group-Mapping Profile Device tab > User Identification> Group Mapping Settings: make sure to set the User Domain Click the Group Include List Tab. Click the + sign next to the Base in the Left column to drop the list of available folder to search for the groups you want to Query for Click on the groups listed starting with the "cn=" that you want to have on the firewall to use in policies and click the + sign in the middle to add them to the included list of groups. Warning! If there are no groups in the include list to the right, all groups in AD will be queried and may cause load issues. Commit. Verify the connection to the LDAP server with the following CLI command > show user group name all   Configure your LDAP authentication in Device > Authentication Profile. Include any groups that you are querying for that will be used in the Authentication Profile This Profile can be used for Captive Portal, Global Protect, User log on, or any authentication through the firewall. You can create other Authentication profiles for different functions if the groups in the allow list will be different. If required, the input username can be modified to accomodate down-level or UPN username formats   owner: bnitz
View full article
npare ‎09-01-2016 05:52 AM
77,213 Views
11 Replies
5 Likes
Up to PAN-OS 6.1, for later OS versions, see below   Details In most cases, the NetBIOS domain should be configured in the Domain field. Note: In most cases, the full domain should not be used (for example, use 'pantaclab' and not 'pantaclab.com').   Here is an example of what happens when the full domain is used: > show user user-IDs User Name Vsys Groups ------------------------------------------------------------------ pantaclab.com\user01 vsys1 cn=group1,cn=users,dc=pantaclab,dc=com   Notice that the user is pantaclab.com\user01 which is likely not to match what is configured in active directory.   When configuring pantaclab as domain instead of pantaclab.com, the result is very different, the user is listed as pantaclab\user01 which is what matches the active directory user. > show user ip-user-mapping IP Ident. By User Idle Timeout (s) Max. Timeout (s) --------------- --------- -------------------------------- ---------------- ---------------- 192.168.208.100 AD pantaclab\user01 2995 2995   If domain name in the LDAP profile is different with the one set in ip-user-mapping, it affects user/group name look up. For example, if a security policy is configured with source user "group1" (from above example), the user at 192.168.206.100 will not be taken as a member of "group1".   See Also How to Determine the NetBIOS Domain for LDAP Server Profile in Windows 2003 and 2008 Server   LDAP Group Mappings in a Mixed 6.x and 7.x Environment with Panorama     owner: yogihara
View full article
npare ‎04-28-2016 02:10 AM
8,850 Views
2 Replies
Overview The Captive Portal is used to create a user-to-IP mappings on the Palo Alto Networks firewall. The portal is triggered based on the Captive Portal policies for http and/or https traffic only and is triggered only for the IP addresses without existing user-to-IP mapping. For user authentication, a local database can be used, RADIUS, Kerberos, or LDAP server. Once identified, user-based policies can be applied to the user’s traffic. While captive portal is most commonly used in a Layer 3 routed environment, this document outlines the steps to configure a V-Wire topology with Captive Portal in redirect mode authenticating to a RADIUS server.     Prerequisites As illustrated above, the network topology for this configuration requires two physical interfaces configured for the inbound and outbound V-Wire. A third physical interface should be configured with an IP and assigned to a zone outside the V-Wire. This L3 interface will be used for the Captive Portal redirect. The firewall will intercept any unknown user sessions that are using HTTP or HTTPS with an HTTP 302 redirect message. The redirection is configured to a specified host name that will be resolved to IP address assigned to L3 interface. Decryption needs to be enabled in order for the firewall to send a redirect message for https traffic. The captive portal should present a certificate and should be trusted by the end users (CA issuing the certificate should be present in Trusted Root store on the client machine). The users will not receive any certificate warning for https redirection. Also, the firewall will set a cookie in the client browser therefore the end user does not need to re-type username/password while cookie is valid (expiry timer can be set in captive portal configuration).   A DNS entry should be made for the IP address configured on the L3 interface. The DNS host name will be used as the Common Name when creating the Captive Portal authentication certificate and can be used in the configuration for the Captive Portal redirect. A RADIUS server with user accounts already defined must be running in the network and configured to operate on ports 1812 or 1645.   Information on configuring RADIUS can be found here: How to Configure Radius on Windows 2008 Server   RADIUS authentication is sent from the firewall management interface to the RADIUS server. If this RADIUS traffic passes through the firewall data ports (Data Plane), a security rule should be created (if not existing already) permitting this traffic. If there is no existing policy denying intra-zone traffic, a security policy will not be required to allow the traffic from L3 interface used by Captive Portal.   Part 1: Configure Captive Portal, Authentication, and Policies   Configure the RADIUS Server Profile Go to the "Device tab > Server Profiles > RADIUS" and create the RADIUS server profile. Fill in the profile Name, server Name, IP Address, Port (1812 or 1645) and Secret.   Configure the Authentication Profile Go to the "Device tab > Authentication Profile" and Add a new profile Fill in a Profile Name, and add the Users which should be able to authenticate against the RADIUS server in the allow list Choose Authentication RADIUS from the drop-down menu (options are None, Local DB, RADIUS, LDAP or Kerberos) Choose the server profile that was just created for the RADIUS server.   Generate a Self-Signed Certificate or Import an Existing Certificate to the Firewall Go to the "Device tab > Certificate Management > Certificates" Option 1: Generate a self-signed certificate; Use the FQDN, which will be mapped in DNS to the L3 interface hosting the captive portal, as the Common Name for the certificate; Other fields are not mandatory.           Option 2: The generated CSR (Certificate Signing Request) will be exported and signed by external authority and then imported back to the firewall (use the same Common Name as for Option 1) Option 3: Import both the certificate and the private key, which were create by the external CA.   Configure Captive Portal Go to the "Device tab > User Identification > Captive Portal Settings" Edit the Captive Portal settings Check the box to enable captive portal Select the previously created or imported Captive Portal certificate for the Server Certificate Select the previously configured Authentication Profile Enable Redirect mode For the Redirect host, type the FQDN which will be translated to interface L3 IP address; The host name must match the Common Name used on the Captive Portal certificate Idle Timer: The amount of time needed to clear captive portal session (mapping) if the authenticated user is inactive Expiration: The maximum time the captive portal session can be active for a single user; after this the mapping will be removed and the user will have to re-authenticate Session cookie timeout is the time session cookie is valid; if the user's browser presents the cookie to the captive portal they do not need to enter credentials again Roaming options allow for the same cookie to be used when the client is roaming (changing the IP address)   Note: In Transparent mode, the firewall is impersonating the destination http/https website and sending http 401 message to invoke authentication. Since the firewall does not have a certificate for the actual destination the user will always receive a certificate warning. Using the Redirect mode is generally recommended.   Configure the Interface Management Profile and Assign it to the Interface: Go to the "Network tab > Network Profiles > Interface Mgmt" Management Profile assigned to the L3 interface needs to have “Response Pages” enabled: Go to the "Network tab > Interfaces" and select the appropriate L3 interface to apply the Interface Management Profile:   Configure Captive Portal Policies: Go to the "Policies tab > Captive Portal" rule base. In this example, authenticating users is coming from the trust zone (make sure the trust zone has the User-ID checkbox enabled) and going to the untrust zone (internet). For the initial test, limit this rule to a single IP or a group of users. Users (IPs) not matching the CP policy can not trigger the CP redirection. Do not configure the redirection for https service if decryption is not enabled. The configured action is "web-form", meaning the user will be redirected to the captive portal page if there is no mapping for its IP address:   Configure and Adjust the Security Rules Based on the Particular Scenario Go to the "Policies tab > Security" rule base Make sure that captive portal traffic is allowed by security policies; we need to ensure that the users being redirected can reach the L3 interface serving the portal page; http redirection is used with port 80, while https redirection is using ports 6080/6081/6082/6083. Make certain the DNS traffic is allowed for the users (in order for redirection to work, user must first try to access external web site) Often, there is no need to create any additional security policies if the intra-zone traffic is enabled. Users from the trust zone will be able to reach the captive portal in the trust zone   Part 2: Test the Captive Portal Confirm that the captive policy rule will be triggered for a particular user using "test cp-policy-match" CLI command; also, check if there is not user-to-IP mapping for the user's IP address > test cp-policy-match source <source_ip> from trust to untrust destination <destination_ip> > show user ip-user-mapping ip <ip_address> > show user ip-user-mapping-mp ip <ip_address> When loading external http/https web sites it should be redirected to the Captive Portal page for authentication. The Captive Portal page can be customized (Device tab > Response Pages). Once the appropriate credentials are entered (checked by the RADIUS server), it will load the initially requested page. The firewall will create user-to-IP mapping (source of the mapping will be marked as CP):     > show user ip-user-mapping-mp all     IP              Vsys   From    User                             Timeout (sec)     --------------- ------ ------- -------------------------------- ----------------     172.16.21.93    vsys1  CP      paloaltonetworks\user1           895                     <<< user mapped by Captive Portal     172.16.32.1     vsys1  GP      pre-logon                        2588475     192.168.21.94   vsys1  AD      paloaltonetworks\user2           6     Total: 3 users     *: WMI probe succeeded   If the user has the mapping on the firewall, it can be cleared for testing purposes and can also clear the captive portal session for a user with the following CLI commands:     > clear user-cache ip <ip_address>     > clear user-cache-mp ip <ip_address>     > debug device-server reset captive-portal ip-address   Useful Troubleshooting Links: Troubleshooting Captive Portal Troubleshooting Captive Portal Redirect Page Issues Captive Portal Page in a Redirect Loop Captive Portal Comfort Page is Not Displayed When Visiting Encrypted Sites   owner: nmarkovic
View full article
npare ‎04-19-2016 07:31 AM
14,242 Views
1 Reply
Overview This document explains how to configure HIP check for missing Microsoft patches. Note: GlobalProtect Client version 1.2.7 / 2.2.1 was used for the screenshots below.   Steps Configure Patch Managent Criteria in the HIP object: Go to Object > GlobalProtect > HIP Objects Click "Add new HIP Object" Go to Patch Management > Criteria Is Installed: This checkbox should be always turned on. This option is not used to check whether patch is installed. Check: This setting is only applied to the patches listed in the box below. For example, if "has-none" check criteria is selected, the hip object will match when there is a hip report that has none of the patches listed in Patches box. Patches: To check Microsoft KB patches, add the number(s) here. This can be left blank. Set "has-any" for the check, so HIP will match if there are any missing patches.  Configure Patch Management Vendor in HIP object: Go to Object > GlobalProtect > HIP Objects Add new HIP Object Go to Patch Management > Vendor Configure HIP profile: Go to Object > GlobalProtect > HIP Profiles Click Add Configure the HIP profile by clicking "Add Match Criteria" button: Configure Security Policy and assign HIP profile Go to Policies > Security Click Add Go to User > HIP Profiles Select the configured HIP profile: Optionally: Configure HIP Notification Go to Network > GlobalProtect > Gateways > HIP Notification Click Add Select the HIP profile and configure the Match Message and Not Match Message tabs as required. On the GlobalProtect Client, view the host state information from the Host State tab: On GlobalProtect client, the missing patch information does not appear immediately after a fresh installation. The missing patch information will appear after one or two hours.   Troubleshooting on Client Device Check HIP notification (View > HIP notification) for "Match Message" or "Not Match Message". When the configuration is modified on the Palo Alto Networks device, try to disable and enable GlobalProtect (File > Disable, then File > Enable) for verification.   Troubleshooting on the Palo Alto Networks Device The following CLI commands show the HIP information for a particular client: (Note: ip address: Private IP assigned by GlobalProtect Gateway) > debug user-id dump hip-profile-database > debug user-id dump hip-report ip <ip address> user <user name> computer <computer name>     For example: > show global-protect-gateway current-user Tunnel Name : gateway-sv-N Domain-User Name : xxxxx Computer : xxxxxx Client : xxxxx VPN Type : Device Level VPN Mobile ID : Private IP : 172.23.60.7 <=== This ip address Public IP : 201.247.44.57   The following CLI commands show debug logs: > debug user-id set hip all > debug user-id on debug > tail follow yes mp-log useridd.log   View the traffic logs and check the entries for rules configured with the HIP profile:   owner: ymiya**bleep**a
View full article
ymiyashita ‎04-13-2016 03:53 PM
17,986 Views
1 Reply
3 Likes
Overview   Sometimes the Group mapping search filter pulls a large number of groups from the LDAP server. In the WebGUI, under User Identification > Group Mapping, on the Include list tab, you can only see up to a maximum of 200 groups. For the groups not visible, use the search filter on top of the same tab.   For a successful search, use the entire group name. If using only part of the group name, use wildcards.   For example, if the group name is Security Group Admins, search using the entire group name:     Or use a wildcard like "Security*" or "*Group*" or "Security*Admins"     Note: While configuring security rules under the User tab, you can use search. Here even part of group name fetches the result—you don't need to use a wildcard.    
View full article
abjain ‎10-20-2015 08:01 PM
4,214 Views
0 Replies
Issue When going to certain sites using a web browser, users are unable to browse fully due to the terminal server.   Cause The root cause is because some websites may trigger high usage of ports for a short duration before releasing them. An ongoing port allocation from a website may cause the premature allocation of a port from the Terminal Server Agent (TSA) before the Windows operating system officially releases it. Thus, connectivity errors are encountered. Note: The issue can also be experienced with applications that use a high number of ports and release them very quickly.   Windows imposes a Timed Wait State on a port. This is a configurable parameter in Windows. The value range is 30-300 seconds (decimal) with a default of 240 seconds. (Default)                REG_SZ          (value not set) TcpTimedWaitDelay        REG_DWORD       0x0000001e (30)   Corresponding registry settings: System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] Value Name: TcpTimedWaitDelay Data Type: REG_DWORD (DWORD Value)   Resolution A setting was introduced in TSA version 5.0.1 to address this issue. This Time Wait State (TWS) setting enables the TS Agent to optionally track the TcpTimedWaitDelay of a Windows system, thus preventing the TS Agent from choosing ports that are still in a Timed Wait State. With this setting enabled, if the system reaches the usual low threshold of port blocks, a new port block is allocated. By default this new behavior is off and can only be modified by editing the registry.   Additionally, because ports are placed in a TWS, there is a possibility that a user may produce a lot of activity that results in ports entering a TWS state and allocating additional port blocks that are no longer needed later. Another user may come into the picture and be starved since another user(s) may be hoarding port blocks that are not needed but are not getting reclaimed back to the system due to the owners' lack of activity (log on/off). As a result we introduced a timer that polls the driver to free port blocks that are no longer needed. This timer only runs when TWS feature is enabled. The default timer value is 240 seconds and can be modified through the registry as well.   Time Wait State (TWS) Feature Behavior and Configuration There is no UI to enable this feature.  The Windows registry must be edited to disable the feature. Warning: Exercise caution when performing registry modifications. There is no error checking of values in the registry.   Enable/Disable TWS Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\TS Agent\Conf\EnableTws Default Value: 0    [0-disabled, 1-enabled] Restart the Terminal Server Agent services for the change to take effect   Periodic cleanup of Unused Port Blocks: Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\TS Agent\Conf\FreePortBlockDelay Default Value: 240  (seconds), a 0 value will disable this timer There is no need to restart the services, as changes for this value will automatically take effect FreePortBlockDelay should not be shortened too aggressively as this will cause a lot of driver cleanup activity.  It is recommended that this value match the system's default Timed Wait Delay (TcpTimedWaitDelay) of 240 seconds.   Resolution If port exhaustion has occured due to large numbers of Time Wait connections, make the following registry changes: Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay Value: 30 Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\StrictTimeWaitSeqCheck Value: 1 Key: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\TS Agent\Conf\EnableTws Value: 1 Key: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\TS Agent\Conf\FreePortBlockDelay Value: 30 You may need to add the second regedit value manually if it's not there. This value will tell Windows Kernel, instead of honor TcpTimedWaitDelay setting, Kernel will free those port strictly in 30 seconds. Otherwise Windows Kernel may delay freeing ports when its busy doing something else.   The first two values will direct Windows Kernel to free Time_Waited ports within 30 seconds (default Kernel value: 240 seconds). If you shorter such value in TS Agent, you will need to shorter the value for Windows Kernel as well to keep the consistency.   Note: The Terminal Server Agent service must be restarted after TS Agent value changes (the third & fourth value). Windows OS needs to be rebooted if Kernel Tcpip stack Parameters (the first & second value) are changed.   owner: sberti
View full article
sberti ‎09-23-2015 05:34 AM
16,950 Views
2 Replies
6 Likes
Overview This document describes how to configure the include/exclude list in agentless User-ID. T his feature can be used to exclude some subnet or IP addresses to block the user-IP mapping on the firewall.   By default, the Include/Exclude list means the User-ID Agent will create a IP to User mapping for any IP address found in the relevant security log events on each Domain Controller. When the entry is added to the Include/Exclude list, there is an implicit deny rule that will be added for any other IP address. The order of entries in the Include/Exclude list is very important because the list is processed in a top-down manner.   Steps Navigate to Device > User Identification > User Mapping. Click Add under Include/Exclude Networks and configure, as shown below. As shown in the examples below, Include/Exclude the Network Address 192.168.17.0/24 subnet: Include all other IP address for mapping.   User-IP mapping will not occur for 192.168.17.0/24 subnet and the IP address from this network will act as a "Unknown".   owner: sbabu
View full article
sbabu ‎09-02-2015 07:14 AM
5,355 Views
0 Replies
Overview This document describes the steps to set up Radius for Captive Portal.   Steps Enable the zone for User Identification. Set up the RADIUS Server profile. Set up the Authentication Profile. The Palo Alto Networks device forwards all requests to the RADIUS server for Captive Portal. Set up the User Identification for Captive Portal. Set up the Captive Portal policy.   Note: For PAN-OS 4.1, the action will be captive-portal and not web-form.   owner: panagent
View full article
nrice ‎09-01-2015 03:57 AM
5,396 Views
0 Replies
The User-ID software reads user and group information from an Active Directory server and forwards the learned information to a Palo Alto Networks firewall to allow using domain user and group-based policies.   This document covers the configuration required when NetBIOS probing is disabled. Disabling the NetBIOS probing option is recommended when the workstations are not allowing remote netBIOS probes.   To disable NetBIOS probes, follow these steps: Configure > Disable NetBIOS Probing (check) Set the Age-out Timeout (in minutes)   The recommended timeout setting is a time equal to or longer than the domain timeout. The default windows domain idle timeout is 8 hrs. Set the timeout to 8 hours or longer.     After making the changes, clock ‘OK’ to continue. To complete the change, an edit is needed in the User-ID agent config file. The file is config.xml and is located in the installation directory of the User-ID agent software.     Open the config.xml file using notepad or some other text editing program.   Change the value of <enable-full-expire> from 0 to 1.   Restart the User-ID service after the changes have been made.   owner: panagent
View full article
nrice ‎08-31-2015 07:38 PM
4,455 Views
0 Replies
1 Like
Overview By default, the maximum number of domain controllers that can be queried by the User-ID Agent is set to 10. This document describes how to change this limit.   Steps Use a text editor to open the config.xml located in the install directory for the User-ID Agent Default locations: C:\Program Files\Palo Alto Networks\PanAgent\ C:\Program Files (x86)\Palo Alto Networks\PanAgent\ Look for the line <max-dc>10</max-dc> (.....this is set to 10 by default) Change the maximum number of Domain Controllers by changing the "10" to a number greater than 10. If the number is greater than 100, the maximum number will be set to 100. The config line should now look something like this: <max-dc>100</max-dc> Save the file and restart the ‘PanAgentService’ service   owner: sspringer
View full article
swhyte ‎08-21-2015 07:17 AM
11,128 Views
0 Replies
Overview When implementing User-ID with agent or agentless mode the group mapping settings are generally pulled by the Palo Alto Networks firewall through the details provided by the LDAP Profile configured under the Server Profile tab. However, bypassing this additional function can be done by implementing LDAP Proxy in the User-ID agent. Details Shown below are the working scenarios. Without Using LDAP Proxy: Here the Group Mapping information will be directly probed by the firewall to the Active Directory(AD) and only the User IP mapping information will happen through the agent. Configure an LDAP Server profile and a group mapping profile. Using LDAP Proxy: Here both the group mapping information and the user IP mapping information will happen through the agent by enabling LDAP proxy. An LDAP Server profile and a group mapping profile must also be configured. Implementation This can be implemented using the LDAP Proxy. Shown below are the steps in which it can be configured: Go to the Device > User Identification > User-ID Agents Click on Add to create an Agent Configuration and enable the feature "Use As LDAP proxy": Now the Group Mapping information will be pulled by the firewall through the agent rather than probing the AD directly, thus ensuring that all the communications from the firewall and the AD to happen through the agent. owner: sbabu
View full article
sbabu ‎08-15-2014 04:01 PM
6,556 Views
2 Replies
Overview The Global Catalog is a distributed data repository with a partial representation of every object in every domain in a multi-domain Active Directory Domain forest. This is why it is useful for the Palo Alto Networks firewall to have access to the Global Catalog. This eliminates the need for the firewall to connect to all the DC's in the forest, and it will maintain only one connection to an external resource. That connection will be on port 3268 or 3269 if it is SSL. Details When multiple domains are in use, sometimes there is a struggle to get the correct group and IP to user mapping on the firewall. To be more precise, sometimes besides the user behind the IP address being known, the domain information on the firewall can be wrong. This will cause the traffic for that user to match the wrong security rule. To get past this problem, connect to the Global Catalog and establish multiple connections to it, making sure to override the domain and have the correct base. For this scenario, there are 3 different domains connected in the same forest using the Global Catalog connection. The domain names are: il.al.com, pub.al.com and mk.al.com, which are all subdomains of al.com. In each connection, it is connected using the same Bind DN (a user in the root domain, that has rights to read the information in the subdomains), but will connect to a different base and override the domain information accordingly. For the "il.al.com" domain: the Base is "DC=il,DC=al,DC=com" and the domain is "il" For the "pub.al.com" domain: the Base is "DC=pub,DC=al,DC=com" and the domain is "pub" For the "mk.al.com" domain: the Base is "DC=mk,DC=al,DC=com" and the domain is "mk" Configure these changes under, Device > Server Profiles > LDAP: This configuration allows the firewall to fetch the needed group mappings for each domain and append the domain in front, so it has the correct user and group information and the correct policy is in use. Configure the Group Mapping Setting under, Device > User Identification > Group Mapping Setting, to use the newly created Server Profile. As shown below, add Group Filters if needed: See Also How to Configure Group-Mapping in a Multi-Domain Active Directory Domain Services (AD DS) Forest owner: ialeksov
View full article
ialeksov ‎07-14-2014 12:32 PM
11,891 Views
1 Reply
2 Likes
Ask Questions Get Answers Join the Live Community