This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About wxiao
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About wxiao
06-02-2023
6Posts
0Likes
0Solutions
Jun 02, 2023Last Visited
User
Activity
User
Profile
Latest posts by wxiao
| Subject | Views | Posted |
|---|---|---|
| 475 | 04-27-2023 09:10 PM | |
| 266 | 01-17-2023 02:51 AM | |
| 278 | 01-12-2023 12:52 AM |
My LIVEcommunity Articles Contributions
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
User Badges
Community Statistics
| Member Since | 11-09-2022 06:58 PM |
| Date Last Visited | 06-02-2023 04:34 AM |
| Posts | 6 |
04-27-2023
09:10 PM
The customer wants to know the query mechanism of agentless user-id. I can see the following description from the documentation.
With server monitoring a User-ID agent—either a Windows-based agent running on a domain server in your network, or the PAN-OS integrated User-ID agent running on the firewall—monitors the security event logs for specified Microsoft Exchange Servers, Domain Controllers, or Novell eDirectory servers for login events. For example, in an AD environment, you can configure the User-ID agent to monitor the security logs for Kerberos ticket grants or renewals, Exchange server access (if configured), and file and print service connections. For these events to be recorded in the security log, the AD domain must be configured to log successful account login events. In addition, because users can log in to any of the servers in the domain, you must set up server monitoring for all servers to capture all user login events.
However, the customer asked two questions. I did not find the answers. Can you help answer.
1) When querying, does PA first pull the security event log of AD to PA's local location and then check again.
2) If it is an action to pull AD logs to the local location, how much log volume does pa pull at a time (defined by the number of log entries or time period).
User-ID
... View more
环境
Palo Alto 防火墙
PAN-OS 8.1或更高版本
组映射(Group Mapping)
概述
Palo Alto Networks防火墙可以从LDAP服务器(如Active Directory或eDirectory)检索用户到组的映射信息。这些数据可以通过防火墙的LDAP查询(通过无代理的User-ID)或通过配置为代理防火墙LDAP查询的User-ID代理来检索。本文件描述了如何在Palo Alto Networks防火墙上配置组映射。
步骤
配置 LDAP 服务器配置文件:如何配置 LDAP 服务器配置文件
配置如何从LDAP目录中检索组和用户,在PaloAlto防火墙上通过Device > User Identification > Group Mapping Settings创建一个新的组映射条目,然后点击 "Add"。请参考下面的屏幕截图。
输入一个名称。对于支持多个虚拟系统的Palo Alto网络,将有一个下拉列表(Location)供其选择。
在 "Server Profile "标签下的下拉列表中指定LDAP服务器配置文件(在步骤1中配置)。
注意:所有的属性(Attributes)和对象类别(Object Class)将根据你在 "LDAP服务器配置文件 "中选择的目录服务器类型进行填充。
用户组变化的默认更新时间间隔(Update Interval)是3600秒(1小时)。输入一个值来指定一个自定义的时间间隔。
点击转到 "Group Include List "标签。如果你想包括所有的组,就把包括列表留空,否则从左边一栏中选择要包括的组,这些组应该被映射。
CLI命令检查检索的组和与LDAP服务器的连接:
> show user group-mapping state all
> show user group list
> show user group name <group name>
注意:当多个组映射配置在同一基础DN或LDAP服务器上时,每个组映射必须包括不重叠的组,即包括组列表不能有任何共同的组。
... View more
Labels:
01-12-2023
12:52 AM
概述
本文介绍了如何在CLI(命令行界面)中查看、创建和删除安全策略。
详细介绍
从CLI创建一个新的安全策略:
> configure (按回车键)
# set rulebase security rules <name> from <source zone> to <destination zone> destination <ip> application <application> service <any/application-default/service name> action <allow/deny> (按回车键)
# exit
例子:
# set rulebase security rules Generic-Security from Outside-L3 to Inside-L3 destination 63.63.63.63 application web-browsing service application-default action allow (按回车键)
注意:对于所有CLI命令的输入帮助,使用"?"或[tab]来获得可用命令的列表。
从CLI查看Palo Alto Networks安全策略:
> show running security-policy
Rule From Source To Dest. User Proto Port Range Application Action
---------- ------------ ------------- ------------ --------------- ------------------- ----- ---------- ------------ ------
Doms DLP untrust-vwir 10.16.0.92 Untrust-vwir any any any any any allow
trust-vwire trust-vwire
rule4 untrust-vwir any untrust-vwir 10.16.0.92 any any any any allow
trust-vwire trust-vwire
rule3 trust-vwire any untrust-vwir any any any any any allow
下面的命令将输出整个配置:
> show config running
设定格式输出为set:
> set cli config-output-format set
> configure
Entering configuration mode
[edit]
# edit rulebase security
[edit rulebase security]
# show
set rulebase security rules rashi from trust-vwire
set rulebase security rules rashi from untrust-vwire
set rulebase security rules rashi to trust-vwire
set rulebase security rules rashi to untrust-vwire
set rulebase security rules rashi source 10.16.0.21
set rulebase security rules rashi destination any
set rulebase security rules rashi service any
set rulebase security rules rashi application adobe-meeting-remote-control
set rulebase security rules rashi application adobe-meeting
set rulebase security rules rashi application adobe-online-office
set rulebase security rules rashi action deny
set rulebase security rules rashi source-user any
set rulebase security rules rashi option disable-server-response-inspection no
set rulebase security rules rashi negate-source no
set rulebase security rules rashi negate-destination no
set rulebase security rules rashi disabled yes
set rulebase security rules rashi log-start no
set rulebase security rules rashi log-end yes
切换为默认输出格式:
从配置模式:
# run set cli config-output-format default
[edit rulebase security]
# show
security {
rules {
rashi {
from [ trust-vwire untrust-vwire];
to [ trust-vwire untrust-vwire];
source 10.16.0.21;
destination any;
service any;
application [ adobe-meeting-remote-control adobe-meeting adobe-online-office];
action deny;
source-user any;
option {
disable-server-response-inspection no;
}
negate-source no;
negate-destination no;
disabled yes;
log-start no;
log-end yes;
profile-setting {
profiles {
file-blocking rashi_file_alert;
data-filtering rashi_dlp;
}
使用XML格式查看配置:
从配置模式:
# run set cli config-output-format xml
[edit rulebase security]
# show
<response status="success" code="19">
<result total-count="1" count="1">
<security>
<rules>
<entry name="rashi">
<from>
<member>trust-vwire</member>
<member>untrust-vwire</member>
</from>
<to>
<member>trust-vwire</member>
<member>untrust-vwire</member>
</to>
<source>
<member>10.16.0.21</member>
</source>
<destination>
<member>any</member>
</destination>
<service>
<member>any</member>
</service>
<application>
<member>adobe-meeting-remote-control</member>
<member>adobe-meeting</member>
<member>adobe-online-office</member>
</application>
<action>deny</action>
<source-user>
<member>any</member>
</source-user>
<option>
<disable-server-response-inspection>no</disable-server-response-inspection>
</option>
<negate-source>no</negate-source>
<negate-destination>no</negate-destination>
<disabled>yes</disabled>
<log-start>no</log-start>
<log-end>yes</log-end>
<profile-setting>
<profiles>
<file-blocking>
<member>rashi_file_alert</member>
</file-blocking>
<data-filtering>
另外,如果你想用更短的方式在配置模式下查看和删除安全规则,你可以使用这两条命令:
查找一条规则:
show rulebase security rules <rulename>
删除一条规则:
delete rulebase security rules <rulename>
... View more
Labels:
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-02-2023
04:34 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks