Hello PAN community,
I have setup user-ID with Active Directory and the hostnames and user names for domain joined systems are being logged in the firewall's monitor.
Some systems have their hostnames resolved, but others are just showing IP addresses. Does anyone know why?
Second, I'm also trying to see if user-ID can pick up source names and hostnames IF the systems they're on is not windows joined domain, but just in a workgroup. These non-domain systems, the users also use AD credentials to access network shares if that's relevant.
Thank you and appreciate the any feedback.
User-ID works by monitoring the security event log for logon events (Event ID 4624 and a few others). Non-domain computers will not have such an event, so no mapping. For these cases the easiest method is for you to set up Captive Portal. Put simply: when they try to open a web page it reaches the firewall which does not see a IP-to-User mapping and redirects the browser to a landing page on the firewall requesting credentials, these in turn get authenticated via your LDAP profile to a DC and added to the mapping table.
1. IP's instead of usernames usually means no IP-to-User mapping for that IP address.
2. Use this command in SSH to the firewall 'show user ip-user-mapping all'. It will help debugging as this is the current known IP-to-User mapping
3. In the User-Identification window increase the cache timeout. The default is 45 minutes and is too short in my opinion. I use 300 minutes. This controls when a record is removed from the mapping table if no more updates from that IP address.
4. You can add Security policies with user type 'unknown' and also Authentication Policies to handle unknown users and what they can or cannot reach in your network.
5. You can also user Exchange Monitoring instead of, or in addition to, Captive Portal. Outlook keeps a connection to Exchange and this might be even easier to set up and detect that Captive Portal.
Hope this helps,
Thank you for your time in providing your feedback. For the captive portal, does that mean every time the non-domain clients
logon, they must open up a webpage to authenticate to the firewall in order for the IP-to-User mapping to happen?
If the client does not need to use a browser that day, then the mapping will not happen, correct?
How does the initial authentication happen, do the users need a firewall local account too?
Thank you for your reply. Can you help me to understand a bit more? Are you saying that the Aruba
is the RADIUS server? The non-domain client would first send the authentication request to the Aruba and then pass
those creds to the Windows DC and then which the Palo accepts the authentication?
I'm connecting to GlobalProtect VPN using a non-domain joined Windows 11 machine. The behavior I'm seeing is my User-ID is registered with the firewall containing the GlobalProtect gateway, but not in AD--so no data is picked up by the User-ID Agent for distribution (so username/group-based firewall rules work locally, but not on remote firewalls). If I log into a domain controller using RDP, that picks up my credentials and GlobalProtect IP address and then shows up in User-ID Agent (allowing the remote user/group-based rules to work). Is captive portal the best way to handle this or is there a better way? Thank you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!