don't understand the user identification difference between pan-agent of the and userid-agent.

Reply
Not applicable

don't understand the user identification difference between pan-agent of the and userid-agent.

     I use PAN-OS 4.1.3 for test about user identification. I try to use pan-agent by set LDAP server profile and set mapping group already. Then I can use only user groups of AD (user name in group not show) in security policy but can't see user name in "source user" in traffic log.  In case I use UserID-agent,  I will use user name from AD in security policy and show user name in traffic log.

     Is it correct ?


Accepted Solutions
L6 Presenter

For PAN-OS 4.1.3, you should use the 4.1.3-2 UserID agent to monitor the DC's for user logins.   This will produce the usernames in the traffic log.

When you set the LDAP server, LDAP profile, and the group mapping on the PAN device, this will query the group memberships and make them available to the security rules.  There, you can define policies for source user=AD users and./or AD groups.

Thanks,

View solution in original post


All Replies
L4 Transporter

Hi there,

yes correct once you install the UserID Agent you can start to use AD usernames in policies and you can see AD usernames in traffic logs.

rgds Roland

Not applicable

thank you for your reply

L6 Presenter

For PAN-OS 4.1.3, you should use the 4.1.3-2 UserID agent to monitor the DC's for user logins.   This will produce the usernames in the traffic log.

When you set the LDAP server, LDAP profile, and the group mapping on the PAN device, this will query the group memberships and make them available to the security rules.  There, you can define policies for source user=AD users and./or AD groups.

Thanks,

View solution in original post

Not applicable

Follow-up question on this:

From the statements above, it seems to indicate that MS AD user names are not populated into the traffic or URL logs if the access control is based on MS AD group memberships?

Is that correct?

L6 Presenter

Once users are identified by the agent, their usernames will be populated in the traffic and URL logs.  For those users not identified the log field will be blank.  This will be true regardless if AD groups are used or not used in security rules.

Thanks.

Not applicable

Is that also true for LDAP being proxied through the user id agent 4.1.3-2? Our environment does not lend itself well to LDAP queries from the PAN device, so instead have to leverage the LDAP proxy option through the user id agents. Does this in essence make the 4.1.3-2 agents function like 3.1's?

L6 Presenter

I apologize as I don't understand your question on the LDAP proxy.

In 3.1, the agent is perfoming both the user identification and group membership lookup.

In 4.1, the agent is doing user identification only.  The group membership lookup is done on the PA firewall itself, and this lookup is using LDAP.

Thanks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!