How real-time is User-ID?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How real-time is User-ID?

L4 Transporter

Kind of as per the subject really.  I'm interested in using User ID so that only authenticated users have internet access, but I'm not sure quite how "real-time" it is?

  • Someone comes in and switches on a computer, logs onto the domain, tries to browse the web - will the Palo Alto know so soon that they are now the user logged onto a particular PC?
  • What happens if multiple users logon to the same PC?
  • What happens if someone brings in their laptop and they're already logged on, lets's say the laptop's in Standby, but they just wake it up and plug back in to the LAN?

Basically I'm trying to understand the downsides of using User-ID for policy enforcement rather than simply for additional log information.

Our PAN is running 4.1.8 and our User Agent is 3.1.2.

Thanks.

1 accepted solution

Accepted Solutions

L7 Applicator

Hello,

It's pretty much real time. There are some time gaps, but it should not be noticeable by a user.

  • A user logging into the domain adds an event to the DC. As long as User-ID is reading those security logs, the first time the user goes through the firewall it will check with User-ID. That will have already read the log and have the user's IP mapping cached, so the very first request will already have the user name to IP mapping.
  • If two or more users are logged into the same computer (like a terminal server), the most recent user will overwrite the mapping for the previous user. For that reason, you should run the Terminal Server Agent on all systems that have multiple users logging in to them. The Terminal Server Agent will dole out source port ranges to each user that logs in, and that mapping will let the firewall know who is generating that request.
  • Bringing a computer off standby *should* generate a domain controller security event as well. If there is no event, User-ID (at least the 4.1 version, I'm not sure about the 3.1 version) has a couple options: a WMI probe, or a NetBIOS query. If you have those enabled in User-ID, it will try WMI first and NetBIOS as a last-ditch effort. If those are not enabled or fail, the user will be unknown. You can also enable a Captive Portal for devices that do not join the domain.

Hope this helps!

Greg

View solution in original post

4 REPLIES 4

L7 Applicator

Hello,

It's pretty much real time. There are some time gaps, but it should not be noticeable by a user.

  • A user logging into the domain adds an event to the DC. As long as User-ID is reading those security logs, the first time the user goes through the firewall it will check with User-ID. That will have already read the log and have the user's IP mapping cached, so the very first request will already have the user name to IP mapping.
  • If two or more users are logged into the same computer (like a terminal server), the most recent user will overwrite the mapping for the previous user. For that reason, you should run the Terminal Server Agent on all systems that have multiple users logging in to them. The Terminal Server Agent will dole out source port ranges to each user that logs in, and that mapping will let the firewall know who is generating that request.
  • Bringing a computer off standby *should* generate a domain controller security event as well. If there is no event, User-ID (at least the 4.1 version, I'm not sure about the 3.1 version) has a couple options: a WMI probe, or a NetBIOS query. If you have those enabled in User-ID, it will try WMI first and NetBIOS as a last-ditch effort. If those are not enabled or fail, the user will be unknown. You can also enable a Captive Portal for devices that do not join the domain.

Hope this helps!

Greg

Thanks Greg, Captive Portal as a "last resort" rule if the user is still unknown sounds very workable here.

We're on 4.1.8 and I must admit I'm a little confused from the online help how I'd only display the portal if the User-ID was unknown, and how I'd hook the portal into LDAP/Active Directory for authentication - do you have any link or KB articles please (I'm just going to do a search of Knowledge Point now ).

Thanks.

Hello,

You can configure a captive portal policy first, for eg: trust to un-trust, action: captive-portal. If the firewall receives a http request from a IP it doesn't have any user-mapping for, they are basically 'Unknown' and will trigger the portal authentication page. You can configure the authentication profile/mode of Captive portal to use as well, from Device tab--->User-identification-->Captive portal.

Here's a good reference guide,

Hope that helps!

Thanks,

Aditi

Thanks Aditi, I've got it working.

So the next question - right now I have a "whitelist" rule as the last rule in my security policy.  It essentially says

"If it's from the Lan to Any other Zone, if it's in the "whitelist" URL Filtering profile allow it, otherwise block it".

This is used for a few domains such as antivirus updates, microsoft, etc.

What's the best way to drop a rule in underneath this as the captive portal rule so that the whitelist rule still fires, since it's used by things such as servers that don't have a person sitting there to enter credentials - is source IP in the captive portal the only option here?

  • 1 accepted solution
  • 2676 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!