user-id 4.1.3-2, pan os 4.1.3, no user mappings

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
jj
Not applicable

user-id 4.1.3-2, pan os 4.1.3, no user mappings

hello and hope someone can help,

i am brand new to PAN(not to FWs or networking) and I've been trying to get this to work for a week now with no results?

i have attached some pics of the user id agent gui and logs.

i have read   and followed the instructions found in the following docs:

" user-id agent initial installation and setup version 4.1","user-identification-operations-4.0","user-identification tech not - panos 4.1", the 4.1 admin guide, and "user-identification-tn-2.1" and 3.0 version because the last two docs contain the firewall side to the configuration, which is nowhere in any of the 4.x docs

i installed the agent directly on a vm of 2003R2 server. ip 172.30.1.10

the agent says it's connected, the FW says it's connected. L3 FW inteface IP 172.30.1.2

resultsof the: @PA-5060> show user user-id-agent statistics

Name             Host            Port  Vsys    State             Ver Usage
---------------------------------------------------------------------------
AD               172.30.1.10     5007  vsys1   conn:idle         5     N

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used

-----------------------------------------------------------------------------------------------------------------

@PA-5060> debug user-id agent AD status

Servers:
Name                             Status

Group Mapping Queried:
Name                             Status     Last-Finish-Time

------------------------------------------------------------------------------------------------------

AD is the name configure on the FW under the user-id agents tab with host 172.30.1.10, port 5007, ntlm auth and an olive green circle

under connected.

in the user-identification-operations 4.0 doc it says the agent listens for the following events:

672

673

674

but my logon/logoff events on the DC are:

538

540

680

i also understand that if i want to do group policies then i need to have the FW directly query the DC via LDAP. that will be my next step.

right now i just want to make policies using user names.

any ideas?? i have about an hour left today and i'll be back at it tomorrow.

thanks


Accepted Solutions
Jeff_K
L2 Linker

The command "show user user-IDs" displays your AD user to AD group mapping... not the username to IP address mapping that the 4.1.x User-ID Agent does.

You need to:

  1. configure a LDAP Server Profile.  \Device\Server Profiles\LDAP
  2. configure a Group Mapping to pull in your wanted AD groups and their associated AD members. \Device\User Identification\Group Mapping Settings

Jeff

View solution in original post


All Replies
Jeff_K
L2 Linker

In your pan-2 pic it shows the PAN connected but you don't have any Connected Servers (Windows Servers) ... you need to configure the User-ID Agent to monitor the security event log of specific DC's.  Do this in the 'Discovery' section.  Jeff

jj
Not applicable

thanks for that...i can now see the logins in the user logins in the user-id agent, but the  result from

@PA-5060> show user user-id-agent statistics

Name             Host            Port  Vsys    State             Ver Usage
---------------------------------------------------------------------------
AD               172.30.1.10     5007  vsys1  conn:idle         5     N

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used

still shows connection is idle... i noticed in the agent log it says "SSL no certificate" and when running wireshark i see the traffic on tcp port 5007 is associated with "wsm-server-ssl".  I don't know if this is relevent or not.

the output from the following still shows that users are not making it to my FW.

j@PA-5060> show user user-IDs

User Name                       Vsys    Groups
------------------------------------------------------------------

Jeff_K
L2 Linker

The command "show user user-IDs" displays your AD user to AD group mapping... not the username to IP address mapping that the 4.1.x User-ID Agent does.

You need to:

  1. configure a LDAP Server Profile.  \Device\Server Profiles\LDAP
  2. configure a Group Mapping to pull in your wanted AD groups and their associated AD members. \Device\User Identification\Group Mapping Settings

Jeff

View solution in original post

jj
Not applicable

so you are saying that even if i don't want to do group mappings in my policy yet, i still have to configure the ldap settings to pull the groups over so i can see the users inside of them using the user-id agent?

why do they even have a user-id agent then?!!!....this should really be documented in one single guide somewhere...the way everything reads......all i had to do if i only wanted user names to magically pop up in my policies was to install and configure the user-id agent.

if they have the FW directly querying the DC for the group membership, why not just use the same method to pull user-ids as well (i know... some orgs have thousands of users...)...

our web proxy does all of this with a simple agent on a domain server....domain and non domain authentication....

i will give this a shot....thank you for all your help becuase the lack revelevent documentation and clear procedures are driving me nuts!!

jj
Not applicable

JEFF!!!! YOU ARE MY ONLY FRIEND IN THE WORLD!!!! right now anyway because i'm in a lab by myself :smileylaugh:!!!

i can see the name and groups in my policy so i'm off to test more stuff.....

for anyone else new to PAN and starting with 4.1.3, may jeff help you!

the 4.1 admin guide is pretty useless for this process unless you're already familiar with it. these are the docs the proved useful and most docs where found in knowledepoint not in the technical documentation section:

1.for installing the agent - "User-ID-Agent_Setup-4 1.pdf"  

the very last step in the doc has you add user to the “Event Log Reader” and “Server Operator” built in groups . the “Event Log Reader” group is only for server 2008. server 2003 you add the user to “Manage Auditing and Security Log”    under "local policies->user rights assignment" in either the default domain controller security settings or default domain security settings depending on where you installed the agent.

Don't forget to discover your DC!!! this step is not in the setup doc

2. agent-FW communication. "User-Identification-TN.pdf" this is a tech note for pan 2.1 but it has a "Device Configuration" section in part II ( the configuration section) of the doc that gives you the FW side of the process. the sections "L3 Inline Management Interface" and "Enable Security Zone for User Identification" are the relevent ones. as i was not the one that initially set up the FW, i had no clue these settings had to be done until i ran across them here.

also, under "devices->user identification->user-id agents tab" add your agent to the FW

3. for the LDAP part - "User-ID_Upgrade_4.1-RevB" or "User Identification Tech Note - PANOS 4.1"

i prefer the upgrade doc.  in the section "LDAP Server Profiles" step 6. for the "bind dn" entry, the format "user@domain" didn't work for me, but the "cn=user,cn=Users, dc=domain" format did.

also this doc is written for 2008 server so the instructions for the  "Identifying the Directory Base" section don't apply to a 2003 server.

you have to have a  progam on your system that can read ldap. if you installed the support tools for windows, you have LDP  or click this link. http://technet.microsoft.com/en-us/library/cc772839%28v=ws.10%29.aspx  the "tool location" section has the d/l link in it. you'll have to d/l the .msi and the .cab file to install the support tools. there are otherways to access it. i just did it this way.

this got it working..at least for my set up.

thanks again jeff!!

Jeff_K
L2 Linker

Yes, you need the AD group mappings in order to get the users inside of them. You can then create policies that control access based AD groups and users.

Subsequently, the PAN needs the IP to user mapping that the User-ID agent provides so it can identify the user and apply the policies.

Jeff

jj
Not applicable

Hey Jeff,

Thanks for all of your help. We may have one scenario where the

users would be traversing a proxy prior to hitting the Palo Alto firewall.

Since the firewall will only see the dataflow relevant to the proxy's IP

address and not the user's IP address in AD, I assume that userID will not

work. Is the only option in that scenario to get the user forensics piece

to use the Captive Portal and force the users to authenticate at the

firewall w/ LDAP?

Thanks again for all of your support!

very respectfully,

Steve

Steven E. King

Chief Security Officer

SRC Technologies, INC.

steve.king@src-technologies.com

www.src-technologies.com

410-262-9239 - cell

410-569-1414 - home

rmonvon
L6 Presenter

Hi...Some proxies have the feature to source using the client IPs instead of the proxy's own IP.  The PA firewall can then map the users to their IPs.  Captive Portal will not help because all users will be sharing the same IP address of the proxy.

You should considering putting the PA firewall before the proxy, or replacing the proxy and let the PA firewall do the URL filtering.  Thanks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!