user-ID non-domain windows systems not being logged

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

user-ID non-domain windows systems not being logged

Hello PAN community,

I have setup user-ID with Active Directory and the hostnames and user names for domain joined systems are being logged in the firewall's monitor.

Some systems have their hostnames resolved, but others are just showing IP addresses. Does anyone know why?

Second, I'm also trying to see if user-ID can pick up source names and hostnames IF the systems they're on is not windows joined domain, but just in a workgroup.  These non-domain systems, the users also use AD credentials to access network shares if that's relevant.

Thank you and appreciate the any feedback.

Highlighted
L3 Networker

Hi

 

User-ID works by monitoring the security event log for logon events (Event ID 4624 and a few others). Non-domain computers will not have such an event, so no mapping. For these cases the easiest method is for you to set up Captive Portal. Put simply: when they try to open a web page it reaches the firewall which does not see a IP-to-User mapping and redirects the browser to a landing page on the firewall requesting credentials, these in turn get authenticated via your LDAP profile to a DC and added to the mapping table.

 

Some notes:

1. IP's instead of usernames usually means no IP-to-User mapping for that IP address.

2. Use this command in SSH to the firewall 'show user ip-user-mapping all'. It will help debugging as this is the current known IP-to-User mapping

3. In the User-Identification window increase the cache timeout. The default is 45 minutes and is too short in my opinion. I use 300 minutes. This controls when a record is removed from the mapping table if no more updates from that IP address.

4. You can add Security policies with user type 'unknown' and also Authentication Policies to handle unknown users and what they can or cannot reach in your network.

5. You can also user Exchange Monitoring instead of, or in addition to, Captive Portal. Outlook keeps a connection to Exchange and this might be even easier to set up and detect that Captive Portal.

 

Hope this helps,

 

Highlighted
L0 Member

If you use network authentication (802.1x) you can setup integration between your Radius server and Palo Alto to establish IP-user mappings for non-domain clients. We use Aruba ClearPass, but there are integration guides for other products also.

L1 Bithead

Hi ShaiW,

Thank you for your time in providing your feedback.  For the captive portal, does that mean every time the non-domain clients

logon, they must open up a webpage to authenticate to the firewall in order for the IP-to-User mapping to happen?
If the client does not need to use a browser that day, then the mapping will not happen, correct?
How does the initial authentication happen, do the users need a firewall local account too?

 

Thank you,
Mrmrtechky

Highlighted
L1 Bithead

Hi Terje,

 

Thank you for your reply.  Can you help me to understand a bit more?  Are you saying that the Aruba 

is the RADIUS server?  The non-domain client would first send the authentication request to the Aruba and then pass

those creds to the Windows DC and then which the Palo accepts the authentication?

Thank you,
Mrmrtechky

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!