Recommended User-ID settings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Recommended User-ID settings

L4 Transporter

I need some help understanding the recommended settings for Pan-OS agentless User-ID.

 

First, here are my current enabled settings.


Server Monitor tab:  I have "Enable Security Log" checked.   Server log monitor frequency is 20, server session read frequency is 10

 

Client Probing; enabled and set to 20 min

 

Cache: User ID timeout is enabled and set to 1440

 

 

I'm not sure if these settings are ideal, especially the client probing.  I'm in a mix windows/mac environment (80/20), using active directory.

 

The documentation mentioned not recommended to enable client probing, but i'm unsure what is the downside if I were to disable it.

 

 

 

 

 

5 REPLIES 5

L4 Transporter

Hi

 

With Client Probing enabled the firewall initiates a WMI connection to client computers to verify that the same user is still logged in. There is more configuration to be done in the domain/client computers (allow client's windows firewall inbound WMI, account permissions...) other than enabling the 'check box'. More info here: 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/user-identification/device-us...

 

Cahche values determine when the ip-to-user mapping entries get removed. Default is 45 minutes which is way to short IMHO. I set it to 5-6 hours.

 

Server log monitor frequency defaults to 2 seconds - the firewall will read security event log entries-deltas every 2 seconds. If you set it to 20 seconds you have up to a 20 second period were your users are still unknown to the firewall.

 

Session read, if enabled in the check-box, default is not checked - will have the firewall try to monitor user sessions via other means (think File & Print servers that have user sessions).

 

The above is from a Windows environment point. Never used a MAC :(.

 

Hope this helps,

Shai

thanks for reply.  Is the cache value of 1440 too high?

I don't think 1440 is to high.

What happens is that specific IP address remains in cache for 1440 minutes before it is removed, so communication from that IP address will still hit rules that have that username in them.  If a new user logs in from that IP, the record is updated to reflect the new username.

 

 

L5 Sessionator

Looks to be fine minus WMI - certainly disable that. Its really made for legacy networks and is somewhat a security risk these days.

 

An additional recommendation would be to make sure that you have User-ID enabled on only your Trust zones. A note on top of this, if you have User-ID enabled on Untrust for example used in conjunction with WMI probing - the hash of the WMI accounts' password would be sent out to random hosts on the internet; that's a big no-no.

 

Finally, it's always a best practice to make use of the "Include/Exclude Networks" to only map usernames to IP addresses from certain parts of the network. You can also utilise this feature to exclude servers' IP ranges to prevent usernames being mapped there unnecessarily - for example when someone RDPs to a server.

 

Cheers,

Luke.

Hi, I have this issue with ip-user-mapping. We are using Windows computer. There are times that ip is being remap to inactive user (previously logged in but did not sign out). I set User Identification Timeout to 720 minutes but it seems that every refresh, ip is map to inactive user and not with the currently logged on user. Would it resolve the issue if I uncheck Enable User Identification Timeout?

  • 9609 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!