Interrogate External Server for UserID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Interrogate External Server for UserID

L2 Linker

Hi,

We have a use case where, upon detection of a session with an unknown userID, we'd like the Palo firewall to interrogate an external service via REST API for the UserID/IP address mapping.  

I appreciate the normal way is to prepopulate the Palo or UserID Agent servers with data from external sources, but this is not possible in this case.

Any ideas?

Thanks.

7 REPLIES 7

L7 Applicator

I dont know of any method via cli to add static mappings, this really defeats the object...

so no CLI then no API.

 

would you not be better off interrogating the ip mapping via ssh or similar and then import this to a server that the user-id agent can itself interrogate or is this also part of the problem..

 

Thanks for your reply MickBall.

I'm not concerned with the CLI especially. I just want the firewall to send a query to an external source for UserID/IP address mapping when a new session from an 'unknown user' is presented.

The external source is not static and will be constantly updating with new UserID/IP address mappings.

NP.

Of course. i understand...

 

would you not be better off posting a similar request in the automation/API discussions area.

 

BTW. exactly what server are you looking to interrogate.

"would you not be better off posting a similar request in the automation/API discussions area."

- Yes, almost definitely!  🙂

I'll see if an admin can move it for me.

It's a DDI server, used for IPAM/DHCP, that I want to interrogate.

 

I think you're underestimating the potential query volume this could generate. Even a PA-220 is rated for 4200 CPS. 

 

If your IPAM solution has APIs available to query user -> IP assignment, I'd periodically query the DB and use the User-ID API to create IP-User mappings on the firewall with that information. 

 

 

Hello,

So when you say external, are you referring to external to the PAN or your environment? Seems that User-ID would be the best option if these sessions are internal.

 

Perhaps I misunderstood your request?

 

Regards,

@Stephen_Elliott,

The firewall itself directly isn't going to be able to do this, but it is something that could be scripted. You simply need to generate an HTTP call whenever an unknown user is identified in the traffic log that you can grab the source from. The script would need to take that source and query the external service for the user-id information. That information would then need to be fed back to the API so that the firewall can update its user-id database with the user from the external source. 

  • 5381 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!