Threats with User-ID


>>User ID overview

4 main components. Grp the users. users use username and group in Policies >Security then see Monitor > Logs > Traffic (source user) check on the ruler

Domain controller are used to allow trust. An agent used in the domain controller works with the firewall when accessing the internet (outside). 

User-ID Main Functions

IP address map to username

Grp mapping using LDAP (lightweight directory access protocol)

User-ID Components

There are 4 components

One component is 1.Windows-based User-ID agent with Characteristics -->Runs on a domain member, Collects IP address to username information and Sends information to the firewall

Other components are 2. PAN-OS integrated User ID agent 3.Palo Alto Networks firewall and 4. Palo Alto Networks Terminal Services agent

Integrated Agent Versus Windows-Based Agent

>>User mapping methods overview

There are many xml API  syslog listening, port mapping, XFF headers, server monitoring, client probing, user authentication ----USER/IP map 

IP to username mapping

User Mapping Using GlobalProtect (this is the PaloAlto VPN)

User-ID Syslog Monitoring

User-ID Operation Overview: Domain Controllers

User-ID Domain Controller Monitoring

User-ID Windows Session Monitoring

>>Configure User-ID

Enable User ID by zone then mapping methods, then configure a group mapping, modify firewall policy rules

Enable User-ID Per Zone

Network > Zones > <select_zone>

>>PAN-OS integrated agent configuration

Configure the PAN-OS Integrated User ID Agent

Start on the domain controller, by creating a service account with the required permissions to run the agent. On the firewall, define the address of the server(s) to be monitored. Then add the service account to monitor the server(s).

Define the Monitored Server(s)

Device > User Identification > User Mapping

Define the User-ID Agent Account

Device > User Identification > User Mapping

Optional Session Monitoring

Device > User Identification > User Mapping

Verify Connection Status

Device >User Identification

>>Configure group mapping

LDAP Server Profile

Device > Server Profiles > LDAP > Add

Create User-ID Group Mapping Filters

Device > User Identification > Group Mapping Settings > Add

Filter Groups Sent to the Firewall

Device > User Identification > Group Mapping Settings > Add

Custom Groups Based on LDAP Filters

Device > User Identification > Group Mapping Settings > Add

>>User-ID and Security policy

Select Users and Groups for a Security Policy

Source user options:

  • any
  • pre logon
  • known user
  • unknown
  • select

1. Which User-ID component and mapping method is recommended for web clients that do not use the domain server?

GlobalProtect NO

Terminal Services agent

Captive Portal


2. Which port does the Palo Alto Networks Windows-based User-ID agent use by default?

TCP port 80 <--NO 
TCP port 5007 -- 5007    Unofficial          ->>     Palo Alto Networks - User-ID agent

TCP port 443 NO

TCP port 4125

3. The User-ID feature identifies the user and IP address of the computer the user is logged into for Next Generation firewall policy enforcement.


4. Which two statements are true regarding User-ID and firewall configuration?

NETBIOS is the only client-probing method supported by the USER-ID agent

The USER-ID agent must be installed on the domain controller

The firewall needs to have information for every USER-ID agent for which it will connect 

Communication between the firewall and USER-ID agent are sent over an encrypted SSL connection 

5. Which statement is true regarding User-ID and Security policy rules?

The Source IP and Source User fields cannot be used in the same policy. NO

If the user associated with an IP address cannot be determined, all traffic from that address will be dropped.  NO

Users can be used in policy rules only if they are known by the firewall

The Source User field can match only users, not groups. NO

6. Which item is not a valid choice when the Source User field is configured in a Security policy rule?



any NO