02-23-2012 05:46 AM
I use PAN-OS 4.1.3 for test about user identification. I try to use pan-agent by set LDAP server profile and set mapping group already. Then I can use only user groups of AD (user name in group not show) in security policy but can't see user name in "source user" in traffic log. In case I use UserID-agent, I will use user name from AD in security policy and show user name in traffic log.
Is it correct ?
02-23-2012 08:32 PM
For PAN-OS 4.1.3, you should use the 4.1.3-2 UserID agent to monitor the DC's for user logins. This will produce the usernames in the traffic log.
When you set the LDAP server, LDAP profile, and the group mapping on the PAN device, this will query the group memberships and make them available to the security rules. There, you can define policies for source user=AD users and./or AD groups.
Thanks,
02-23-2012 05:54 AM
Hi there,
yes correct once you install the UserID Agent you can start to use AD usernames in policies and you can see AD usernames in traffic logs.
rgds Roland
02-23-2012 04:49 PM
thank you for your reply
02-23-2012 08:32 PM
For PAN-OS 4.1.3, you should use the 4.1.3-2 UserID agent to monitor the DC's for user logins. This will produce the usernames in the traffic log.
When you set the LDAP server, LDAP profile, and the group mapping on the PAN device, this will query the group memberships and make them available to the security rules. There, you can define policies for source user=AD users and./or AD groups.
Thanks,
03-13-2012 10:30 AM
Follow-up question on this:
From the statements above, it seems to indicate that MS AD user names are not populated into the traffic or URL logs if the access control is based on MS AD group memberships?
Is that correct?
03-13-2012 11:09 AM
Once users are identified by the agent, their usernames will be populated in the traffic and URL logs. For those users not identified the log field will be blank. This will be true regardless if AD groups are used or not used in security rules.
Thanks.
03-13-2012 11:13 AM
Is that also true for LDAP being proxied through the user id agent 4.1.3-2? Our environment does not lend itself well to LDAP queries from the PAN device, so instead have to leverage the LDAP proxy option through the user id agents. Does this in essence make the 4.1.3-2 agents function like 3.1's?
03-14-2012 10:03 AM
I apologize as I don't understand your question on the LDAP proxy.
In 3.1, the agent is perfoming both the user identification and group membership lookup.
In 4.1, the agent is doing user identification only. The group membership lookup is done on the PA firewall itself, and this lookup is using LDAP.
Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
