We recently implemented a pair of PA-3020 in an Active/Passive cluster.
I have been working on USER-ID, but have an issue. There are about 2500 Apple MAC computers
on site. They are binded to AD , even if an AD user uses logs in to an Apple MAC there are no MS events
in the security logs to forward to the User-ID agent.
Most all of the Apple Mac’s don’t mount to any shared MS AD shares.
My question is what am I missing or how can I get the User-ID to work with Apple MAC’s?
Also it would be great if there were a “local” agent installer for both MAC and Windows clients.
We could install them silently and a managed install. Then let the physical machine report to the Firewall of the current user and IP address.
Goodmorning! These are the available options that are available for MAC users to provide their User-ID info to the firewall:
1) Captive Portal (https://live.paloaltonetworks.com/docs/DOC-1159)
2) Install a client that will do AD login
3) Make them connect via SSL VPN and surf through the VPN.
4) User ID API integration using Syslog (https://live.paloaltonetworks.com/docs/DOC-1936) - You would take login events on your OpenDirectory server and syslog these events. Parse through the data and use the API to send this info to the User-ID Agent for ip-mappings.
Additionally, user-id agent can also monitor Exchange server, so if the mac users are able to login to Outlook to create login events, we should be able to get the mapping that way as well. Hope that helps!
You said the Macs were bound to AD:
"They are binded to AD , even if an AD user uses logs in to an Apple MAC there are no MS events in the security logs to forward to the User-ID agent." So, how are the Macs bound to AD? IF the users authenticate to AD there should be a logon event and if not, you may have to enable logging levels to show those logon events through:
These are then read according to:
You may also find https://live.paloaltonetworks.com/docs/DOC-5662 helpful.
Sorry this is so late, this issue was resolved. Prior to me working here the MAC admins were given an AD / OU to Bind the Apple MAC OSX machine to (CN=MAC,DC=xx,DC=xxx).
For some reason if the MAC's are not in the default CN=Computers,DC=xx,DC=xxx OU windows security logs will never populate?
After we move all of the AD objects "Apple MAC's" to the correct OU (CN=Computers,DC=xx,DC=xxx), security event logs started working and populating PAN-User-ID.
I hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!