Guide and Video Demo: User-ID on Cloud NGFW for Azure

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker
No ratings



About This Guide


Cloud NGFW is the industry’s only machine learning (ML)-powered NGFW delivered as a cloud-native service on Azure. With Cloud NGFW, you can run more apps securely at cloud speed and cloud-scale with an actual cloud-native experience. You get to experience the best of both worlds with natively integrated network security delivered as a service on Azure.


The user identity, as opposed to an IP address, is an integral component of an effective security infrastructure. Knowing who is using each of the applications on your network, and who may have transmitted a threat or is transferring files, can strengthen security policies and reduce incident response times. User-ID™, a standard feature on the Palo Alto Networks firewall, enables you to leverage user information stored in a wide range of repositories. 


In this guide, we will discuss how to enable user-id on Cloud NGFW for Azure and use user-id in policy definition and traffic monitoring.


Sample Topology


Fig 1_User-ID-CNGFW-Azure_palo-alto-networks.png


As per above test topology we have a Windows server with Active Directory configured. There are two Test Users added to the active directory. Within the user subnet there are two user machines(Testuser1 and Testuser2) that will be used to generate user traffic.

Cloud NGFW is integrated with Azure Virtual WAN.


User-ID with PanOS Integrated Agent



  • Configure the service account with Remote Management User and CIMV2 privileges for the server you want to monitor
  • Configure server monitoring using WinRM over HTTPS with Basic Authentication
  • Create Test users and Groups on Windows server
  • Security Policy on Cloud NGFW to allow communication with LDAP/Windows server with Active directory


Import Root Certificate (from Windows Server) on to Panorama

Import the root certificate onto Panorama as shown below. This is the CA certificate that's available on Windows server acting as Active directory.


Fig 2_User-ID-CNGFW-Azure_palo-alto-networks.png


Add Certificate Profile

After importing the root certificate in the above step, now add a certificate profile using the certificate imported as shown below


Fig 3_User-ID-CNGFW-Azure_palo-alto-networks.png


Add Certificate Profile to User-ID Connection Security

Now add this certificate profile to User-ID connection security as shown below.

You need to click on the Gear icon to add a user-id Certificate Profile.


Fig 4_User-ID-CNGFW-Azure_palo-alto-networks.png

Configure Server Monitor account

Login to Panorama and configure server monitor account as shown in below screenshot.

Go to DEVICE > User Identification > User Mapping and click on Gear icon to configure Server Monitor Account.


Over here you need to provide the user name and password details of the service account that you have created on Windows server as part of prerequisites.


Fig 5_User-ID-CNGFW-Azure_palo-alto-networks.png


Configure Server Monitoring with WinRM-HTTPS Transport Protocol

Configure server monitoring by going to DEVICE > User Identification > User Mapping > Server Monitoring 

Over here you need to specify the Type as Microsoft Active Directory, Transport Protocol as WinRM-HTTPS and the Network Address as your Windows server address where you have an active directory configured.

Commit and push the configuration


Fig 6_User-ID-CNGFW-Azure_palo-alto-networks.png


Enable User-ID on Cloud NGFW

Now you can go ahead and enable User-ID on Cloud NGFW network interfaces. 

Since cloud ngfw is a service and we don't have any control over network configuration on Cloud NGFW, you can override Private and Public zones as shown below and enable User-ID


Fig 7_User-ID-CNGFW-Azure_palo-alto-networks.png




Fig 8_User-ID-CNGFW-Azure_palo-alto-networks.png

Similarly override Public zone as well and enable User Identification.


Configure Service Route to Active Directory LDAP Server

In order to reach from Cloud NGFW to Active Directory we are now going to add a service route as shown below.

Go to Device > Setup > Services and click on “Service Route Configuration” to add route to LDAP server.


Fig 9_User-ID-CNGFW-Azure_palo-alto-networks.png


On clicking Service Route Configuration, you will be presented with the below mentioned screen where you need to select “Custom” and select LDAP service to add a route through Loopback.3 interface.

Cloud NGFW internally uses Loopback.3 as a source interface to talk to Active Directory.


Fig 10_User-ID-CNGFW-Azure_palo-alto-networks.png


Now add a service route based on Destination. Where the destination IP address Active Directory address.

Select the source interface as Loopback.3 interface


Commit and Push the configuration.


Fig 11_User-ID-CNGFW-Azure_palo-alto-networks.png


Fig 12_User-ID-CNGFW-Azure_palo-alto-networks.png


Configure LDAP Server Profile

Configure LDAP server profile as shown below.

Go to DEVICE > Server Profiles > LDAP and click on Add to add LDAP server profile 


Fig 13_User-ID-CNGFW-Azure_palo-alto-networks.png


You can start with providing Profile Name and add Server list where you will specify your active directory server IP address.

Now to fill in Server settings, you need to get Base DN and Bind DN from your active directory as shown below.


On your windows server, open ADSI edit app as shown below


Fig 14_User-ID-CNGFW-Azure_palo-alto-networks.png


You will be presented with below screen where you can select the username of the windows server to copy Bind DN details


Fig 15_User-ID-CNGFW-Azure_palo-alto-networks.png


Use the copied Bind DN and and Base DN as part of server settings as shown below. Key in the password of your windows server and click on OK to add LDAP server profile


Fig 16_User-ID-CNGFW-Azure_palo-alto-networks.png


Configure Group Mapping Settings

In order to configure Group mapping you need to go to User Identification section as shown below and click on Add


Fig 17_User-ID-CNGFW-Azure_palo-alto-networks.png


Select the server profile created in above step to add Group mapping as shown below


Fig 18_User-ID-CNGFW-Azure_palo-alto-networks.png


Configure User-ID Master Device with Cloud NGFW Device Group

Go to your Cloud NGFW device group as shown below. You will need to select the backend instances of cloud NGFW(it will be 3 or more) by enabling the checkbox against the name of the instances

Now enable “User ID Master Device” radio button and select one of the instance from the drop down to act as User ID master device


Fig 19_User-ID-CNGFW-Azure_palo-alto-networks.png


Commit and Push the configuration


User Traffic Test Through Cloud NGFW


Validate Testuser1 Traffic

As per Test topology we have Two users(Testuser1 and Testuser2). You will now be able to define security policies based on users.

Let's try to add a security policy to block Linkedin for Testuser2 and allow for other users. As shown below


Fig 20_User-ID-CNGFW-Azure_palo-alto-networks.png


Lets now login to Testuser1 and see if he is able to access LinkedIn and other websites

As you can see in the below screenshot, Testuser1 was able to access LinkedIn and other websites


Fig 21_User-ID-CNGFW-Azure_palo-alto-networks.png


Validate the same on the Panorama Monitoring page. You can see that the LinkedIn and twitter applications that were accessed by testuser1 was hitting AllowALL rule and allowed


Fig 22_User-ID-CNGFW-Azure_palo-alto-networks.png


Validate Testuser2 Traffic

As per Security policy defined, Testuser2 was blocked from accessing LinkedIn.

Let's now try login to Testuser2 machine and access the websites (LinkedIn and Twitter)

As you can see in the screenshot below, Testuser2 was not able to access Linkedin but was able to access twitter.


Lets see the reason for that on the Panorama monitoring page.


Fig 23_User-ID-CNGFW-Azure_palo-alto-networks.png

This confirms that Cloud NGFW for Azure was able to help with user based policy definition and monitoring.




Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎06-07-2024 10:59 AM
Updated by: