Confused About User-ID and User Mapping

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Confused About User-ID and User Mapping

L3 Networker

Regarding the User-ID Agent (Active Directory) feature of the firewall, I’m confused as to the difference and need for either the User Mapping and/or User-ID Agent. Is the User Mapping feature replacing the User-ID agent?

The units we have were setup prior to my employment as we 6 office locations and two data centers each data center with a 3050 unit which have 11 MS AD monitors (an AD server or two at each site and in the data centers), 3 Exchange monitors, and 1 User-ID agent. All Internet traffic from the office locations will go thru a 3050 unit at either data center using our MPLS infrastructure.

 

I’ve read the User-ID best practices etc… but still confused as to what is needed and how each works.

Appreciate any help and insight.

Jeff

Passionate about network infrastructure and all things Palo Alto Networks.
3 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

Hello Jeff,

the user-id feature is used to identify the user in the session. It can also be used to write policies around an AD user or group. For example, you want to allow finance useres to access finance servers but no other users to access them. You can have the users in an AD group and write a policy and put that AD group into the 'Source User' field. I have used this in the past to seperate web-browsing as well as zoning off servers only accessible by certian AD users or groups.

 

I hope that helps clarify things instead of making them more convoluted.

 

Cheers.

View solution in original post

L4 Transporter

Hi Jeff,

 

the User-ID-Agent is collecting infos of the AD-log ( successful logon events - User-ID and IP ) and push these info to the Firewall. You can see the mapping with: show user ip-user-mapping ip x.x.x.x

Instead of using USER-ID-Agent running on AD-Server you can configure this function on firewall as well (called agentless)

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Agentless-User-ID/ta-p/...

Regards,

Klaus 

 

View solution in original post

L6 Presenter

User Mapping is a process which associates IP addresses with usernames. User mapping can get that info from many differnt sources:

- from AD with User-ID agent installed somewhere,

- from AD without any agent (PA itself sends quereis to AD)

- from GlobalProtect, 

- from Captive portals.

- from syslog listeners, 

- from exhange servers, 

.

.

.

 

Neither of these techniques is becoming obsolete.

 

 

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello Jeff,

the user-id feature is used to identify the user in the session. It can also be used to write policies around an AD user or group. For example, you want to allow finance useres to access finance servers but no other users to access them. You can have the users in an AD group and write a policy and put that AD group into the 'Source User' field. I have used this in the past to seperate web-browsing as well as zoning off servers only accessible by certian AD users or groups.

 

I hope that helps clarify things instead of making them more convoluted.

 

Cheers.

L4 Transporter

Hi Jeff,

 

the User-ID-Agent is collecting infos of the AD-log ( successful logon events - User-ID and IP ) and push these info to the Firewall. You can see the mapping with: show user ip-user-mapping ip x.x.x.x

Instead of using USER-ID-Agent running on AD-Server you can configure this function on firewall as well (called agentless)

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Agentless-User-ID/ta-p/...

Regards,

Klaus 

 

L6 Presenter

User Mapping is a process which associates IP addresses with usernames. User mapping can get that info from many differnt sources:

- from AD with User-ID agent installed somewhere,

- from AD without any agent (PA itself sends quereis to AD)

- from GlobalProtect, 

- from Captive portals.

- from syslog listeners, 

- from exhange servers, 

.

.

.

 

Neither of these techniques is becoming obsolete.

 

 

as you said, i can put a AD group on to a policy to control this group. what if just wanna allow/deny one user?

manaully fill this username into 'source user' blank? is it correct?

 

 

Danny

  • 3 accepted solutions
  • 4262 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!