PANCast Episode 11: User-ID — How to Leverage Users and Groups to Monitor Access

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L2 Linker
100% helpful (1/1)


Episode Transcript:


Hello PANCasters! Welcome to another episode; in this one, we'll discuss User-ID. Let’s talk about what User-ID actually is, what it’s used for, and also a couple of common “gotchas” to be aware of.


User-ID is exactly as it sounds: It allows the firewall to map a user to the traffic it sees. So, rather than traffic and sessions being based on an IP address, we know which user the traffic belongs to. This gives us visibility which is very important as a user’s IP can and will change. While visibility is great, the second part of User-ID is control. Rather than having to build security policy on IP addresses we use the username to determine what policies they match. This works not only for individual users but also for groups of users which we will discuss a bit later on.

John Arena is a Professional Services Consultant with a background in Technical Support for Palo Alto Networks and a passion for educating and sharing knowledge with customers.John Arena is a Professional Services Consultant with a background in Technical Support for Palo Alto Networks and a passion for educating and sharing knowledge with customers.

What is User-ID?


To begin with, for us to know what user an IP maps to, it generally needs to be information that comes from somewhere external to the firewall. There are a number of different sources we can get this information from and some are more common than others.


Before we go into the various sources, I just want to go through the concept a bit more. User-ID is really a mapping that says at this point in time, IP address X is used by user Y. This information is normally learnt by the firewall when an event happens, such as the user logs in. What is key to understand is that the mapping stays current as long as it does not time out or is replaced by another user to ip mapping update.


Getting User-ID Information


On to the sources: the most common one we see is reading Active Directory logs which will have a security log whenever a user logs in and this will include the users IP address. This is great as, at the start of the business day, we should have a pretty good view of which IPs belong to which user. But what happens if you have wireless and as a user moves between floors they get assigned a different IP address? There is no new logon event so nothing changes on the firewall mapping. This is where we need to look at the other options of sources for that information. In this example, there are a couple of things we can do. We have integrations with some wireless vendors to be able to get those IP updates as users roam and change IPs. Otherwise, we can use either syslog or XML API to get those changes to the firewall to update the mappings. Again this is based on events or logs outside of the firewall which we need to use to update those mappings.


There are a few other ways we can also get the mappings and each environment will be different. The key is to understand you may need to get the information from various sources for it always to be up to date. A couple of final things on this before we move on. First is captive portal. This can be used as a fallback. It  can be configured so that if a IP address does not have a user mapped, and tries to go through the firewall they can be requested to be authenticated via captive portal. This then updates the user to ip mapping. There are obviously some limitations with this as the traffic has to be http or https but it is a good fallback mechanism. Second is GlobalProtect. GlobalProtect is our remote access VPN solution which includes the GlobalProtect client. What it can also be used for is that even when a user is on your internal network, they can still authenticate using the GlobalProtect client. This means the user to ip mapping is always known. This is a great way to have accurate user to ip mapping if you already use GlobalProtect.


So, having user to ip mapping is great. We now have visibility in the logs where we can see user details and we can also now add users to various policies to control it as well. This is helpful but not scalable. What really helps is being able to use your directory group information to be able to write policy. As an example, you can have a group on your Active Directory which contains users that are allowed to access certain URL categories that are generally not allowed for all users. That way, to add access for another user, you just add the user to the group and when the firewall updates the groups, access is then allowed. Group mapping needs to be configured so the firewalls are able to collect the groups and users and also update them periodically. There’s a few different directory services we support so you can check them out on our admin guides.


Things to Be Aware of With User-ID


On to the “gotchas.” There are a couple of common things to look for when you suspect User-ID is not working. Number one is that User-ID needs to be enabled on the zones you want to use it — and that’s not on by default. The reverse of this is that you definitely only want it on the zones that need and not all zones, especially things like Internet facing zones. Secondly is remembering that a mapping is not infinite and has a timeout.


By default, User-ID mappings learnt on a firewall from server logs have a timeout of 45 minutes. This means if there is no way to refresh the mapping, 45 minutes after it’s learnt it will timeout.  If you have ways to update or refresh them then it will be ok, otherwise you need to look at increasing this timer to match your environment. Number three is there are various formats for usernames and what is learnt via user to ip mapping may be different to the format of the username in your group mapping. We do support multiple username formats so in most cases it should be ok. Just be aware though there could still be a mismatch in the usernames which could be why your group based policies are not matching.


Just before we finish up I want to mention the Cloud Identity Engine. This is a cloud based identity service that can be used for authentication and group mapping. It can integrate with both your on-prem directory services and also cloud based. In terms of group mapping for this User-ID discussion, it’s a great way for your firewalls to be able to get group mapping information from a single source.


I imagine most deployments with Palo Alto Networks firewalls, or Prisma Access, will already be using User-ID to some level so I hope this has given you a little more info on how it works.


And that’s it for User-ID. It is a pretty simple feature and one that has huge benefit but as you can see there are a lot of ways you can get both the mapping information and the group information and these are

where you need to make sure it is configured correctly.


Remember the transcript and associated articles can be found at and a reminder if there is a particular topic you would like to be featured on PANCast, head to and you can submit your ideas under the PANCast ideas submission area. Bye for now.


Check out the full PANCast YouTube playlist: PANCast: Insights for Your Cybersecurity Journey.


Related Content:


Rate this article: