user-id 4.1.3-2, pan os 4.1.3, no user mappings

thanks for that...i can now see the logins in the user logins in the user-id agent, but the  result from

@PA-5060> show user user-id-agent statistics

Name             Host            Port  Vsys    State             Ver Usage
---------------------------------------------------------------------------
AD               172.30.1.10     5007  vsys1  conn:idle         5     N

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used

still shows connection is idle... i noticed in the agent log it says "SSL no certificate" and when running wireshark i see the traffic on tcp port 5007 is associated with "wsm-server-ssl".  I don't know if this is relevent or not.

the output from the following still shows that users are not making it to my FW.

j@PA-5060> show user user-IDs

User Name                       Vsys    Groups
------------------------------------------------------------------

so you are saying that even if i don't want to do group mappings in my policy yet, i still have to configure the ldap settings to pull the groups over so i can see the users inside of them using the user-id agent?

why do they even have a user-id agent then?!!!....this should really be documented in one single guide somewhere...the way everything reads......all i had to do if i only wanted user names to magically pop up in my policies was to install and configure the user-id agent.

if they have the FW directly querying the DC for the group membership, why not just use the same method to pull user-ids as well (i know... some orgs have thousands of users...)...

our web proxy does all of this with a simple agent on a domain server....domain and non domain authentication....

i will give this a shot....thank you for all your help becuase the lack revelevent documentation and clear procedures are driving me nuts!!

JEFF!!!! YOU ARE MY ONLY FRIEND IN THE WORLD!!!! right now anyway because i'm in a lab by myself :smileylaugh:!!!

i can see the name and groups in my policy so i'm off to test more stuff.....

for anyone else new to PAN and starting with 4.1.3, may jeff help you!

the 4.1 admin guide is pretty useless for this process unless you're already familiar with it. these are the docs the proved useful and most docs where found in knowledepoint not in the technical documentation section:

1.for installing the agent - "User-ID-Agent_Setup-4 1.pdf"  

the very last step in the doc has you add user to the “Event Log Reader” and “Server Operator” built in groups . the “Event Log Reader” group is only for server 2008. server 2003 you add the user to “Manage Auditing and Security Log”    under "local policies->user rights assignment" in either the default domain controller security settings or default domain security settings depending on where you installed the agent.

Don't forget to discover your DC!!! this step is not in the setup doc

2. agent-FW communication. "User-Identification-TN.pdf" this is a tech note for pan 2.1 but it has a "Device Configuration" section in part II ( the configuration section) of the doc that gives you the FW side of the process. the sections "L3 Inline Management Interface" and "Enable Security Zone for User Identification" are the relevent ones. as i was not the one that initially set up the FW, i had no clue these settings had to be done until i ran across them here.

also, under "devices->user identification->user-id agents tab" add your agent to the FW

3. for the LDAP part - "User-ID_Upgrade_4.1-RevB" or "User Identification Tech Note - PANOS 4.1"

i prefer the upgrade doc.  in the section "LDAP Server Profiles" step 6. for the "bind dn" entry, the format "user@domain" didn't work for me, but the "cn=user,cn=Users, dc=domain" format did.

also this doc is written for 2008 server so the instructions for the  "Identifying the Directory Base" section don't apply to a 2003 server.

you have to have a  progam on your system that can read ldap. if you installed the support tools for windows, you have LDP  or click this link. http://technet.microsoft.com/en-us/library/cc772839%28v=ws.10%29.aspx  the "tool location" section has the d/l link in it. you'll have to d/l the .msi and the .cab file to install the support tools. there are otherways to access it. i just did it this way.

this got it working..at least for my set up.

thanks again jeff!!

Yes, you need the AD group mappings in order to get the users inside of them. You can then create policies that control access based AD groups and users.

Subsequently, the PAN needs the IP to user mapping that the User-ID agent provides so it can identify the user and apply the policies.

Jeff

Hey Jeff,

Thanks for all of your help. We may have one scenario where the

users would be traversing a proxy prior to hitting the Palo Alto firewall.

Since the firewall will only see the dataflow relevant to the proxy's IP

address and not the user's IP address in AD, I assume that userID will not

work. Is the only option in that scenario to get the user forensics piece

to use the Captive Portal and force the users to authenticate at the

firewall w/ LDAP?

Thanks again for all of your support!

very respectfully,

Steve

Steven E. King

Chief Security Officer

SRC Technologies, INC.

steve.king@src-technologies.com

www.src-technologies.com

410-262-9239 - cell

410-569-1414 - home

Hi...Some proxies have the feature to source using the client IPs instead of the proxy's own IP.  The PA firewall can then map the users to their IPs.  Captive Portal will not help because all users will be sharing the same IP address of the proxy.

You should considering putting the PA firewall before the proxy, or replacing the proxy and let the PA firewall do the URL filtering.  Thanks.