user-ID non-domain windows systems not being logged

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

user-ID non-domain windows systems not being logged

L1 Bithead

Hello PAN community,

I have setup user-ID with Active Directory and the hostnames and user names for domain joined systems are being logged in the firewall's monitor.

Some systems have their hostnames resolved, but others are just showing IP addresses. Does anyone know why?

Second, I'm also trying to see if user-ID can pick up source names and hostnames IF the systems they're on is not windows joined domain, but just in a workgroup.  These non-domain systems, the users also use AD credentials to access network shares if that's relevant.

Thank you and appreciate the any feedback.

6 REPLIES 6

L4 Transporter

Hi

 

User-ID works by monitoring the security event log for logon events (Event ID 4624 and a few others). Non-domain computers will not have such an event, so no mapping. For these cases the easiest method is for you to set up Captive Portal. Put simply: when they try to open a web page it reaches the firewall which does not see a IP-to-User mapping and redirects the browser to a landing page on the firewall requesting credentials, these in turn get authenticated via your LDAP profile to a DC and added to the mapping table.

 

Some notes:

1. IP's instead of usernames usually means no IP-to-User mapping for that IP address.

2. Use this command in SSH to the firewall 'show user ip-user-mapping all'. It will help debugging as this is the current known IP-to-User mapping

3. In the User-Identification window increase the cache timeout. The default is 45 minutes and is too short in my opinion. I use 300 minutes. This controls when a record is removed from the mapping table if no more updates from that IP address.

4. You can add Security policies with user type 'unknown' and also Authentication Policies to handle unknown users and what they can or cannot reach in your network.

5. You can also user Exchange Monitoring instead of, or in addition to, Captive Portal. Outlook keeps a connection to Exchange and this might be even easier to set up and detect that Captive Portal.

 

Hope this helps,

 

L0 Member

If you use network authentication (802.1x) you can setup integration between your Radius server and Palo Alto to establish IP-user mappings for non-domain clients. We use Aruba ClearPass, but there are integration guides for other products also.

Hi ShaiW,

Thank you for your time in providing your feedback.  For the captive portal, does that mean every time the non-domain clients

logon, they must open up a webpage to authenticate to the firewall in order for the IP-to-User mapping to happen?
If the client does not need to use a browser that day, then the mapping will not happen, correct?
How does the initial authentication happen, do the users need a firewall local account too?

 

Thank you,
Mrmrtechky

Hi Terje,

 

Thank you for your reply.  Can you help me to understand a bit more?  Are you saying that the Aruba 

is the RADIUS server?  The non-domain client would first send the authentication request to the Aruba and then pass

those creds to the Windows DC and then which the Palo accepts the authentication?

Thank you,
Mrmrtechky

I'm connecting to GlobalProtect VPN using a non-domain joined Windows 11 machine. The behavior I'm seeing is my User-ID is registered with the firewall containing the GlobalProtect gateway, but not in AD--so no data is picked up by the User-ID Agent for distribution (so username/group-based firewall rules work locally, but not on remote firewalls). If I log into a domain controller using RDP, that picks up my credentials and GlobalProtect IP address and then shows up in User-ID Agent (allowing the remote user/group-based rules to work). Is captive portal the best way to handle this or is there a better way? Thank you.

I would also like to know if captive portal is best method for securing connection from a non-domain machine. 

  • 4681 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!