1. 9.1 User-ID overview
In this video, we are covering PCNSA 210, and this is our chapter nine user ID. Now this is the first video of chapter nine, which is nine plus one user ID. Overview user ID Purpose now dynamic nature of users and applications means that IP addresses alone are less effective as a mechanism for monitoring and controlling user activity. User ID technology identifies the users on the network and the IP addresses of the computer the user is logged into.
So for example, from the traffic log they can see on the screen, the source user was myself, and I accessed this PC with this IP address, and at that time I accessed this destination, and action was allowed. So we can control with security policy what action maybe we can deny we can allow whatever the user logged on to what machine. If I logged on to a different machine maybe they will be denied but we can control exactly what user, what machine they logged into and what they going to. You can’t deny that I actually did that at that time. So with User ID, you can write policies, display logs, and display reports using the username instead of just IP addresses and port numbers. And this gives us great control over which users or user groups may access which applications or which network segments.
So, for example, unknown users can be treated differently from known users to accommodate network guests and fulfil user ID’s main functions. So before we can create user- and group-based policy rules, the firewall requires a list of all available users and their corresponding group mappings. So user mapping is the association of IP addresses with usernames, and we get this from normal network traffic, maybe a user logging on, logging off, accessing a file share or printing, and so on. And we have group mapping. This is a learn of group names, what groups dowel have and what users are in those groups and we usually get this information from LTAP and then we can apply security policies on the groups. We can also apply security policies to single users.
But this is not recommended because we’re just going to create a larger set of security policy rules that are going to have a higher demand on your firewall, but they are also going to require more resources on the firewall. So it’s better just to group them and apply security policies to those groups. User ID components The user ID agent comes in two forms. Now the user ID agent is the agent who’s going to collect all the user names and IP addresses and then send them to the firewall. It could be two forms but two ways. You can either have it as an integrated agent that is resident on the firewall and already included in the Panes software, or we can have a Windows-based agent that is available for download from Palo Alto Networks. A firewall can communicate with both agent types at the same time. Both agent types monitor up to 100 domain controllers or exchange servers. Both agent types can monitor users and domain controllers only from a single active directory or ad domain.
Now, the integrated agent is designed for small and midsize deployments, such as in a small remote office or lab environment. Multiple Windows-based agents can be deployed to handle larger environments with multiple forest domains. User ID technology has four main components. So the first component is a Windows-based user ID agent. This runs on a domain member. It can run a domain controller as well if you want, but it is not recommended. So we selected a domain member, which is usually very close to your domain controller for bandwidth usage, and it will collect IP addresses and username information. And all this collection was going to be sent to the firewall. Palo Alto Networks’ operating system. integrated user ID agent. This runs directly on the firewall, which will collect IP addresses and username information. and Palo Alto networks. Terminal Server agent will run on the Microsoft and Citrix Terminal servers. Annie’s will collect IP addresses and port numbers for username information and send all the information to our firewall. And then we have a Palo Alto Networks firewall, which will map the IP addresses to usernames and will also map user names to group names. Integrated Agent versus Windows-Based Agent: An integrated agent uses network bandwidth more efficiently. And remember, the integrated agent was actually the agent running inside the firewall. It’s using bandwidth more efficiently, but it does consume more of the firewall’s management plane resources.
The Pan OS integrated agent uses either Windows Management Instrumentation (WMI) or the Windows Remote Management Protocol (Win RM), which enables the agent to retrieve only the relevant user ID information from the Windows security logs. So the Panes integrated agent is more efficient because it’s receiving only the required information. If you run the Windows-based agent, which uses MCPc, it will require the full Windows security logs to be sent to the agent, and then the agent will filter only the relevant user ID information and send it to our firewall. So if you run the agent directly as integrated, we only get the UIP address and the username mapping from the domain controller, which is the only relevant information that we need. If you run the domain member’s agent, then the domain controller will send the full security log, and the domain member will actually just filter what needs to be sent to the firewall. In the infrastructure, with the remote networks separated by one link, the integrated agent is more appropriate for reading remote logs, and the Windows-based agent is more appropriate for reading local logs.
2. 9.2 User mapping methods overview
In this video, we are covering PCNSA 210, and this is our Chapter Nine User ID. Now this is the second video of Chapter Nine, which is 9.2. User mapping methods. Overview of user mapping methods Now, user ID technology includes multiple methods to map an IP address to a user. But somehow we need to map an IP address to a user or user ID. We get the groups and group members from LDAP, put these users into groups, and then we can apply policies, logs, and reports. The decision about which mapping methods you use depends on the operating system, application, and network infrastructure that we have in our organization. So these are some of the group mapping methods that we have. For example, User ID monitors Microsoft Ad domain controllers, Microsoft Exchange servers, or Novel Directory servers for login or logout events recorded in authentication logs. User ID also reads session tables to confirm non IPad dresses to username mappings based on the current Windows file and printer shares, as well as User ID acquires username information from captive portal web forms and log on events in the Global Protect client machines.
User ID listens for syslog login and logout messages from network access control systems in 802, Onex devices, and wireless controllers. One way or another, we’re going to have to map an IP address to a user so we can apply security policies or logs or reports on the user ID rather than just the IP address. User mapping using Global Protect now includes Global Protect users, and these are users who are using VPN clients; they must authenticate to gain access to the network. The IP address for the username mapping is explicitly known. Global Protect directly adds a username to the firewall’s user ID mapping table. Global Protect is the best solution in sensitive environments where you must be certain of who a user is to allow access to an application or service. User ID syslog monitoring monitors syslog events for login and logout messages.
Messages are used to update IP addresses, username mappings, and custom profiles for each Syslog message format. So we can look at Syslog messages for login and logout events on the wireless controllers. Eight to two one x devices. Apple’s open directory proxy service or network access controls User ID operation overview, domain controller Now, before user ID can operate, it must first be enabled in the security zone. So we have to go to the zone and we have to enable user identification, and we have to do that for every zone that we want to have user ID applied to. If a User ID is enabled, then the Firewall will consult the administrator defined User ID configuration to determine which agent the Firewall has available to gather information and username information. User ID on the Firewall could query either an integrated agent or a Windows based agent. The agent retrieves IP address and username information from the domain controller. User ID has now retrieved the IP address and the user information from the agent. It can use a firewall’s LDAP configuration to retrieve user-to-group mapping information from an LDAP server. At this point, User ID will have an IP address associated with a username and one or more group names, and then we can apply security policies.
User ID Domain Controller Monitoring now, User ID Agent monitors the security logs for logon or logo out events for the specified Microsoft domain controller. Each user ID agent can monitor multiple domain controllers per domain. However, each User ID agent can monitor only a single domain. Security logs are not replicated between the domain controllers, so you must set up server monitoring for all domain controllers to capture all user log-on events. User ID windows Session Monitoring clients who have connected to the shared file or Prince Resource will have their session information stored on the domain controller. So an additional Windows-based method to resolve IP addresses for users is to consult the shared resource session table recorded on the domain controller. So user mapping recommendation.
If we have Global Protect VPN clients, we should use Global Protect. If we have Web clients that do not use domain servers, we have a captive portal. If we have, for example, non-Windows system network access control mechanisms such as wireless controllers, 82 One X devices, or proxy servers, then we can assist lock listeners. If we have Exchange servers, domain controllers, or Director servers, we should be using User ID Agent. This is session monitoring for Windows files and print shares. Also User ID agent session Monitoring. If you have a multiuser system such as Microsoft Remote Desktop Services or Citrix Meta Frame Presentation Service Zainap, we use the Terminal Service Agent. Terminal Services Agent, and if we have a Windows client that often changes the IP address, we use a User ID agent client. Programs, devices, and applications did not indicate great user ID XML.
3. 9.3 Configuring User-ID
In this video, we are covering PCNSA 210, and this is our Chapter Nine User ID. Now this is the third video of Chapter Nine, which is 9.3. configuring the user ID. Now there are four steps to configure the user ID. And the first step is to enable user ID by zone. So for each individual zone, you have to go there and enable user identification. Once we do that, we can move on to step two, which is to configure your user mapping methods. The second step in configuring user ID is to configure user mapping methods. We can have two. We can either have it as an integrated agent running inside the firewall itself or as a Windows agent running on a Windows member domain. The third step is optional, but it is recommended to configure group mapping, and we get the group mapping from LDAP. It’s recommended because when we apply security policy, it’s better to actually apply it to the group rather than just the individual user.
And the fourth step is to modify your Firewall Policy rule to use usernames or group names. So the first step is to enable a user ID per zone. So for each zone you must click the enabled User Identification Checkbox to activate User ID on the zone. User ID will track only users associated with the source zone of a session. By default, User ID will try to map users formal subnetworks found within a User ID enabled zone. We can use the Include list or the Exclude list. Include lists are to limit the subnetworks or specific addresses that the firewall will attempt to map to users. Use the exclude list only to exclude user mapping information from subnets of the subnetworks; otherwise, add it to the include list. If VMI probing is enabled, VMI will probe private IP addresses but not public IP addresses by default. Now, most of you, I know that you would know private IP addresses. Whoever is studying in this course should really know the private addresses, but I’m going to write them here just for reference. Anyway, private addresses are referenced in RFC 1918 and 1918. And this is your private IPV. Four IPVs, four addresses And there’s a range that we have to go through them. So address this. Now, we have three classes.
So we have a class A, class A, we have class B and C or different private addresses. Now, the class A address range is anything that starts with ten, so 100, zero, all the way up to anything up to ten, 2525–25255. That’s considered a private IP address. And the private addresses are not allowed to go to the Internet, for example, in public. So if they actually go outside your router, they will be dropped by the next router. Class B addresses of anything from one 72160.And this is the hardest for our students to really remember, but it’s up to 1723-1255-2552-5525-5. All of these are private addresses. And then class C is 192-1680. All the way up to one nine two, and sorry about the right, and I’m trying to write 168-25-5255; anything after that is a private address. All these addresses are not allowed to go to the Internet. If they for some reason managed to go past your router, the next router is configured to drop these addresses.
Okay? So you need to remember 1918 RFC private IP addresses. VMI will probe only private IP addresses, not public IP addresses. Anyway, the next thing I’m going to do is actually go to my firewall and show you where to configure or enable user ID per zone. It’s very easy. You just need to go to the network. I need to go to zones. You want to enable the user ID. Really? You don’t want to enable user ID on the outside zone because you will kill your firewall. But for example, in the inside zone, we can go there. User identification is something you can enable there. And then we have an “include” list. For example, the subnets that we want to include might be, say, my subnet 192-16-8104. And from that subnet that I included, I can exclude something. For example, I can exclude one IP address. So on that subnet, I don’t want to know who logs on to maybe this address here, 50, it’s on the lobby. Everybody can log in, and I don’t want to know the users in there anyway. You have included a list of the users, and they are going to be included, and the excluded user ID is not going to try and map them. Click okay, and now you can see the inside zone has user ID enabled. Okay?
4. 9.4 PAN-OS integrated agent configuration
In this video we are covering Penza 210and this is our chapter nine User ID. Now this is the fourth video of chapter nine, which is 9.4 Ganoid Integrated Agent Configuration. Now on the previous video 9.3, we determined that to configure User ID it was a four step process. The first step was to enable Use rid by zone, which we did. We went to the zone, and we enabled user identification, as you can see on the presentation. The next step was to configure user mapping methods. And this is how we’re going to configure it in this video. But user mapping methods are actually separated into two videos because there are two types of user mapping methods. We can have it integrated with Agent, which is in this firewall; it’s integrated inside the firewall, and I’m going to COVID that on that in this video, and then we’re going to COVID on the next video, which is another mapping method called Windows Agent, which runs on the Windows domain member.
So to configure using mapping methods in the integrated agent first, there’s actually a six-step process here as well. And I’m going to demonstrate all this for you in the live firewall. But first, we just go through the slides, and then we do it on the firewalls. So the first step is to actually go to the domain controller, and in there we create a service account with the required permission. So, for example, I went to my Active Directory, Users and Computers, and in my domain, in the user organizational unit, I created an account called Pan Agent and added that account to the two required permissions. So event log readers and server operators Now you can add it to the administrators as well, or just the administrators, but that will give it more permission than is actually required once we create a service account with the required permission. The second step is to actually go in on the firewall and define the addresses of the servers to be monitored and the location of that device. Then we have User Identification, User Mapping, and if you scroll down a little bit, we have Service Monitoring, and we can click Add in there. We give it a name and a description, we enable it, and we have four types available. We can have a Microsoft Active Directory, a Microsoft Exchange Novell Directory, and a Stock service.
Three different types of transport protocols We can have WMI Winter. Http and Win RM https, and this is the IP address or network address of our server to be monitored. Once we configure the service to be monitored, then what we need to do is add the service account to monitor the service, which I created early on on my domain controller. So to do that again, you need to go to device user identification. User mapping Palo Alto network’s user ID agent set up and in the gear icon. The first step is Server account or server monitor account. So in there, we give it a name, the domain name for the user login name, then the password, and that’s it. The next step that we can do is optionally configure session monitoring in the same place. Next step is monitoring session monitoring by default we have a server log monitoring frequency which is every 2 seconds. That’s enabled by default, but we can enable the session. So enable sessions here, which are 10 seconds by default. So server session read frequencies every 10 seconds.
This enables an integrated agent to use current file and printer sharing information to verify the current IP address to username mapping. Next step is optional as well which is to configure MI probe in with the WMI probe in same place under the device user Identification, user mapping Palo Alto network user setup ID, the gear icon and the third tabs a client probe in and we can enable that which is intervals every 20 minutes. So the integrated agent periodically probes each learned IP address to verify that the same user is still logged in. And then the last step is to actually commit the configuration and verify the agent connection status. Now this status here should say connected, and then we are ready to actually enable security policy rules by defining them on the user ID rather than just the IP address. And last step we can actually show mapping for all specific IP addresses. And the command in the party is “show user IP mapping all,” so we should see some users already mapped. Now I’m going to demonstrate for you how to configure everything that we covered in this lesson.
For example, first we have defined that to configure a user ID, there are four step process. We’re going to check that user ID is enabled, which we did in lesson 6.3, enabled by zone on the inside zone, and then we’re going to configure it like an integrated user ID agent. So first we’re going to look at the domain controller, configure a service account there, and then we’re going to move to our firewall. Okay? So the first thing is to check that the user ID has been enabled in our inside zone. So click on the inside zone. You can already see that it’s enabled, with included subnetworks and excluded networks. But if you want to enable it, you click on the zone, and this is not enabled by default. You click enabled, and then you can add what subnetworks you want to include for user ID or exclude here as well. Okay, once we did that, then I need to go to my Windows domain controller and in there create a service account that is required with the permission to run an agent.
So if I log on to my domain controller, okay, now that I’m logged on to my domain controller, if I click Tools and then Active Directory users and computers, and sorry if the resolution is not great on this domain controller, you can see under my domain users that I already have a user profile agent there, configured. So if I double-click on that, you can see that the username is “Pan agent” and the login account is “Pan at lab local,” and Pan is a member of event log readers and service operators. These are required permissions I have enabled as a member of administrators and abusers but they’re not necessarily it has to be event log readers, server operator. Okay, so if you have an administrator, that’s great. It’s just going to give it a bit more permissions than you need. But anyway, if you don’t know how to configure a user, just right-click on the users here. You can create a new organizational unit if you want and create it there. Let’s just do that. So new organizational unit, I’m just going to call it test here and in the test for example I can right click and say new user and this user, let’s just call attest one, test one and log on name. Let’s just leave it as a test as well. And the password I’m going to keep it as Palo Alto. Palo Alto user should not change the password cannot change after the password and password never expires. So that’s how you create an account, and then for this account to create a permission, we have to add it to the groups with the required permission. So for example I double click on test and I’ll say member of and I’ll just add server operator and check that that’s okay. And then, that’s it.
Event log readers, that’s it. These are the two required. The reason why I’m doing it this way and I’m not doing that because it has to be logged on and logged off. So this account has to be created to work as an agent. Okay, now we’ve done that ore got the account already. This Pan agent, we already have that account. So if I go to my firewall, I now need to define the address of the server that has to be monitored, and to do that I need to go to device user identification. Then on the user identification under the user mapping if I scroll little bit down I have a server monitoring in heretic have to add the server that I will be monitoring here. I just gave it a name and server description. Obviously on production you put proper description, proper name enabled type. There are four types. Active Directory is chosen by default. You can have exchange novelty directory or Stock server. We’re just going to leave its active directory transfer protocols. We have three types WMI, Win, RM, hatband https venom and then the network address. This is the address of the server that we cannot monitor, which is 1921-6812.
That’s the IP address of our domain controller. Click OK. Once we’ve done everything and committed, the status here should stay connected. So we’re going to go and add a service account to monitor that server. So again, device user identification, user mapping, and Palo Alto Networks user ID agent setup I click the gear icon here and I give a name. The name has to be the same as what I have configured on my domain controller. And the name should be Lab Local. That’s the name that I’m going to be logging on with. So if I go to my server here, that’s the account. So lab local pan. Okay, so if I cancel that and go back to my firewall lab, local pan, then the password is Palo Alto. Okay. And click. OK. Here, right. The next two configurations are optional. Well, actually, they were in the same place; I didn’t have to click okay, so device user identification, user mapping, and user ID agent setup are in the gear icon server monitor, and I can enable sessions by default. Enable security log is enabled which is every2 seconds frequency the server log monitoring. But we can enable session which will actually add check the file and print sharing information to verify current IP address to username mapping if we want to enable it, which is every 10 seconds heretic don’t have anything for Novell’s directory or Syslog listeners.
I haven’t done anything here. Now the next step is client probing. Now, client probing is set forever 20 minutes probe interval. And if I enable that, it’s going to make sure that the same username is connected to the same IP address. This is required. For example, if Dynamically uses a different IP address, we can leave it; we don’t have to enable it here. Click okay. Now, once I click “commit,” once I click “commit,” I should have this computer connected. Okay, now the commit has been successfully completed. We can scroll down and we can see the state is here and it says connected. So we are connected to the Pan servers, so we can actually configure my user ID. Okay, now that’s good. So we have connected. So we can already start applying policies to the user ID. Whether we’re going to configure a bit later, we’re going to configure a bit more information about the LDAP group memberships and so on. And then we’re going to test everything together. Okay, great. We did all of this. We configured that, configured the server monitoring, we configured the account, we didn’t enable the session or protein and we verify that there is.