CONTROLLING ACCESS TO NETWORK RESOURCES WITH User-ID
>>User ID overview
4 main components. Grp the users. users use username and group in Policies >Security then see Monitor > Logs > Traffic (source user) check on the ruler
Domain controller are used to allow trust. An agent used in the domain controller works with the firewall when accessing the internet (outside).
User-ID Main Functions
IP address map to username
Grp mapping using LDAP (lightweight directory access protocol)
User-ID Components
There are 4 components
One component is 1.Windows-based User-ID agent with Characteristics -->Runs on a domain member, Collects IP address to username information and Sends information to the firewall
Other components are 2. PAN-OS integrated User ID agent 3.Palo Alto Networks firewall and 4. Palo Alto Networks Terminal Services agent
Integrated Agent Versus Windows-Based Agent
>>User mapping methods overview
There are many xml API syslog listening, port mapping, XFF headers, server monitoring, client probing, user authentication ----USER/IP map
IP to username mapping
User Mapping Using GlobalProtect (this is the PaloAlto VPN)
User-ID Syslog Monitoring
User-ID Operation Overview: Domain Controllers
User-ID Domain Controller Monitoring
User-ID Windows Session Monitoring
>>Configure User-ID
Enable User ID by zone then mapping methods, then configure a group mapping, modify firewall policy rules
Enable User-ID Per Zone
Network > Zones > <select_zone>
>>PAN-OS integrated agent configuration
Configure the PAN-OS Integrated User ID Agent
Start on the domain controller, by creating a service account with the required permissions to run the agent. On the firewall, define the address of the server(s) to be monitored. Then add the service account to monitor the server(s).
Define the Monitored Server(s)
Device > User Identification > User Mapping
Define the User-ID Agent Account
Device > User Identification > User Mapping
Optional Session Monitoring
Device > User Identification > User Mapping
Verify Connection Status
Device >User Identification
>>Configure group mapping
LDAP Server Profile
Device > Server Profiles > LDAP > Add
Create User-ID Group Mapping Filters
Device > User Identification > Group Mapping Settings > Add
Filter Groups Sent to the Firewall
Device > User Identification > Group Mapping Settings > Add
Custom Groups Based on LDAP Filters
Device > User Identification > Group Mapping Settings > Add
>>User-ID and Security policy
Select Users and Groups for a Security Policy
Source user options:
- any
- pre logon
- known user
- unknown
- select
1. Which User-ID component and mapping method is recommended for web clients that do not use the domain server?
GlobalProtect NO
Terminal Services agent
Captive Portal
XML API NO
2. Which port does the Palo Alto Networks Windows-based User-ID agent use by default?
TCP port 80 <--NO
TCP port 5007 -- 5007 Unofficial ->> Palo Alto Networks - User-ID agent
TCP port 443 NO
TCP port 4125
3. The User-ID feature identifies the user and IP address of the computer the user is logged into for Next Generation firewall policy enforcement.
True
4. Which two statements are true regarding User-ID and firewall configuration?
NETBIOS is the only client-probing method supported by the USER-ID agent
The USER-ID agent must be installed on the domain controller
The firewall needs to have information for every USER-ID agent for which it will connect
Communication between the firewall and USER-ID agent are sent over an encrypted SSL connection
5. Which statement is true regarding User-ID and Security policy rules?
The Source IP and Source User fields cannot be used in the same policy. NO
If the user associated with an IP address cannot be determined, all traffic from that address will be dropped. NO
Users can be used in policy rules only if they are known by the firewall
The Source User field can match only users, not groups. NO
6. Which item is not a valid choice when the Source User field is configured in a Security policy rule?
known-user
unknown
any NO
all
Comments