5. 9.5 Windows-based agent configuration
In this video, we are covering PCNSA 210, and this is our chapter nine user ID. Now this is the fifth video of chapter nine, which is 9.5 Windows-based agent configuration. Now, from previous videos, we have learned that to configure a user ID, it’s a four-step process. We covered the first step, which was to enable the user ID on its own. So, as you can see in this PowerPoint presentation, we need to enable user identification on the zone. So we go to like for example inside zone and we take it there. We can include and exclude a list of all subnets for which we want to enable user ID. The second step was to configure user mapping methods, and as we know, we have two user mapping methods. We can have integrated agent which runs inside the firewall and we covered this on video 9.4 Andon this video we’re going to COVID 9.5 Windows agent and this will run inside Windows domain member.
So they’re still on the second step to configure user ID. The next video will be to configure group mapping, and the video after that will configure policy rules. To configure the Windows-based user ID agent, like in the previous video, we have to create a service account on the domain controller with the required permissions to run the agent. The required permissions has to be member of several operators and event log readers but you can addict to as a member of administrators It is not recommended because it adds more permissions than are required for this service account. Once we did that then we have to decide at what domain member we want to install the agent at.
It could be any domain member as long as it has Microsoft Windows XP service pack three or later as operating system it does support 32 bit or 64 bits and it is recommended you should install the agent as close the server as possible to optimize bandwidth use. So as close to the server they will be monitoring to optimize the bandwidth use. And it is recommended to install more than one agent. So, for example, redundancy was installed on the two domain members for redundancy. Once we decided what domain member we can install the agent we can go and download the user ID agent software and that will be available from support Palo Alto network. Once you download it, you have access to it. You can download it and then install it on the domain member that we have selected it.
Once we install it, we have to run the agent installer, and then we have to start doing the configuration. So for example, in there we add the service logon account and enable security monitoring, and one thing you have to remember here is that the user ID agent will use a TCP port 5007 because we’re going to need that under our firewall as well. Once we run the user ID agent installer, we need to configure the user ID agent. So here we will configure like authentication. So same user as we have configured on our domain controller and the password as well, server monitoring, for example, we can click on that and that will open the same as what we saw in the previous video windows service monitoring and before it was actually every 2 seconds on the integrated service. Here is every 1 second and it’s enabled by default. And we can enable server session read, and that’s it. Every 10 seconds, we’re going to check file and print shares for login and logon status.
Once we’ve done that, then we can check whether we can add the servers that we want to monitor. We can either add them one by one or, if we click on “add,” that will give you the option to add domain controllers, exchange servers, directory service, or Syslog service. Or we can add auto Discover which will auto discover domain controllers. Only now we need to configure the firewall to connect to the User ID agent which here to configure we’ll have to go to Device user identification, user ID agent and then we click on add, we give it a name and add an agent using host and port. So Host, that’s an IP address of the host and port 5007 like we said before. And then the collector’s name and the shared IP address should be the same as what we configured on the domain controller, and then we verify the connection. For example, in our firewall, it should say “connected here,” and on the Windows domain member, it should say “connected here and here as well.”
6. 9.6 Configuring group mapping
In this video, we are covering Penza to ten, and this is our chapter nine user ID. Now this is the 6th video of chapter nine, which is 9.6: configuring group mapping, which was optional. Anyway, from previous videos, we have learned that configuring a user ID is a four-step process. The first step was to enable user ID by zone. So we need to go to the zone and enable user identification. The second step was to configure user mapping methods. And we had two, we had integrated Agent or Windows Agent. The integrated agent was inside the firewall or integrated into the firewall Windows agent. We had to install agent software on a Windows domain member. We have covered this on the video 9.4 and this was 9.5.Now the third step that we’re going to cover in this video is to configure group mapping, which is optional but highly recommended because it’s better to apply security policies to groups rather than individual users. Now, to configure group mapping, first you need to configure the LDAP server profile. To configure an LDAP server profile, you need to navigate a device. Then Server profiles and then LDAP in there we click Add which is down there, hidden.
We give a name to this profile. So I called it the Astrid LDAP Server. and I will demonstrate this on the live firewall. But I’m just going to go through the presentations first. We can configure Administrator Use Only, which will allow only administrators to access this LDAP server profile on the server list. These are where we’re going to get the group and group members. So, for example, give a name—whatever you want. LDAP Server. This is the IP address of your LDAP server and the port. If you put 3, 8, 9, that’s a TLS port. Or if you want to use SSL, that’s six, three, six, and then the server settings. So type we have configured as an active directory but it could be directory son or other as well based distinguished name, bind distinguished name. This is actually the account on the domain controller, as well as the password for that account, service account, the bind timeout, search timeout, and retry interval. You can leave it at “default.” And we don’t want to use SSL or TLS for secure connections.
This is checked by default, so you have to uncheck it. Okay? And then, once we’ve done that, we have to configure group mapping filters. So to do that, we have to go to Device, then User or User Identification, then Group Map Settings, and then we add that we give it a name, whatever you want to call it, and under service profile, a server profile that should be the one that you just created, the LDAP Server profile. And these two group object and the User object should be populated by default automatically. And then we click on the user group attributes under the group users and group attributes. The Firewall can identify users even if the User’s ID source sends user ID into multiple formats. For example, Sam’s account name, email user name, principal name (UPN), or common name So even though we sent any of these multiple different formats, the firewall can identify them, but you need to tell which one is the primary. For example, Sam’s account here is primary, secondary, and so on. And then the alternate as well. The group include list, you have to define what groups include. So use a group. Include a list tap to filter which groups discovered by the LDAP server are displayed on the drop-down list and the firewall policy rules. So by default, they’re going to be all the groups. By default, if you do not move groups in the Include group list pane, all discover groups are available in policy roles.
So here, we selected this. Click on the plus, add it on there. So then, when we create a security policy, we can see only this one, which we have included tithe next tab is a custom group. Now the custom group tab will allow you to define custom groups based on LDAP filters so they can base Firewall policy rules on a user attributes that do not match existing LDAP user groups. So you can create your own custom groups here. Okay, now I’m going to demonstrate all this stuff that we have learned in our live firewall. So first we’re going to check if the user ID has been enabled on the zone and the mapping methods. Integrate the agent mapping methods; they’re there. And then we’re going to configure group mapping. So first, I’m going to go to my firewall and check to see if user ID has been enabled. So for that I’ll go to network and under the zones. For example, inside the zone, I have user ID enabled for this subnetwork, but this IP address is not included. Okay, excellent. The next thing is that I’m going to make sure that we have a mapping method enabled. So device and user identification And under the server monitoring, you can see that the status is connected. So great, we have that. So the next thing is that we’re going to configure group mapping. And to do that, the first thing we need to configure is the server profile, the LDAP server profile. And for that, again, we stay here device. And if we just scroll down a little bit, we have an LDAP server profile. As you can see, we don’t have anything yet. So if I click “add” on the name, I’m just going to call it whatever you want to call it.
So I’m just going to call it AstridLDAP profile and then Administrator use only. I’m going to leave it unticked. and the server list, I’m going to add it here. So my DC is 2016 and the server’s IPad dress is for example, I’m going to put 1921-6812.That’s the domain controller’s IP address, which is this one here. This is my domain controller. Okay, the port three, eight, nine, that means we are using TLS. If I put 6, 3, 6, that will be an SSL port. And then we have to go to service settings. So here by default we can see there’s other or no, we want to change that to Active Directory. You can see that we have directory and Sun. So directory. Active directory. I should say the base-distinguished name should be DC lab. DC local. That’s correct. Bind name. Here I put the account that I have under my domain controller, which is Pen at lab local password for this was Palo Alto and Bind timeout search time out, leave it the same. And we’re not going to require an SSL or TLS-secure connection.
So I’m going to unpick that. Click okay. Now we have already an LDAP server Astrid LDAP profile. So the next step is actually configuring the mapping filters. So to do that, I need to stay here in Device and just go right to the top, where we have user identification. And then we have to go to group map settings. On the group map settings, I’m going to add a new group map setting, which I’m just going to call Astrid Group Map Settings. And under the server profile, I’m just going to leave it. If I just pick the down arrow that should come up, the one that I created earlier, And you can see that these two are already populated. excellent user and group attributes. Now, by default, like we said, the firewall can have different attributes, but you have to select which one is the primary. So Sam’s account is my primary here. Under the group list include list, I have to select which groups I want to include on my security policy.
So as they come up like a drop-down list, what is going to be available if I leave them? They’re all going to be available. So I’m just going to click on the DC lab DC local under the common name “Users.” I’m just going to say, “Let’s have lab users, students, and, I don’t know, let’s just say key administrators.” I’m just adding a customer group here. So I’m going to leave it empty as “nothing” and click OK. So now I have my users here. So now once I commit this and then we can go adjust have a look at the security policy just to test it. Okay, now that the commit has been completed successfully, we can just go and test it. We’re going to leave it for the next video anyway. But we’re going to just go to policies and see if I update any security policies and if I include my users. So let me just enter here and select Users. And by default you see it’s. Any users, I can add the users. So you see the ones I added: key administrators, lab users, students, whatever the group, they appear here. Right? Okay, I’m going to leave this for the next video. So that’s what we’re going to do. We’re going to configure our security policy.
7. 9.7 User-ID and security policy
In this video, we are covering PCNSA 210, and this is our chapter nine user ID. Now this is the 7th video of Chapter 9, which is 9.7 User ID and Security Policy. Now, from previous videos, we have learned that to configure a user ID, it was a four-step process. The first step was to enable user ID by zone. So we went to the zone and we enabled User ID identification.
We could include list or exclude list as we want, what subnets to include, what subnets to exclude and so on. But we have to enable user identification. This is not enabled by default. The second step was to configure mapping methods—and remember, it was two different mapping methods. We could have integrated Agent, which was running inside the firewall, or Windows Agent, which was running on a Windows domain member. We don’t have to download it; it’s already in the operating system. This was the software that had to be downloaded from Palo Alto Support Services. And the third step was optional but recommended: configuring group mapping. And that information we got it from LDAPserver and that was the previous video.9.6. In this video, we’re going to modify the Firewall Policies rule to use usernames or group names. So to do that, you need to go to the Security Policy rule and choose which rule you want to modify, for example, and once you select the rule, you can select the users for Security Policy, and these are the options available. So, for example, on the role that you have selected, click on the users, and once you click here, these are the options. Any matches, any value for user pre log on so pre logon used with certain global protect implementation. We have unknown users. These are users that are known by User ID unknown. These are users or groups that are not known by user ID or selection.
These are the users that we can identify from LDAP servers. Source IP address and a source user field will be evaluated with the logical and condition, for example this IP address. So any IP addresses from these users will be this plus this. We will deny this IP addresses plus these students groups will be allowed for FTP for example. And that’s how we access or enable the security policy. I’m going to demonstrate this for you all live on our firewall. So in Firewall, what we need to do is check that we have applied user identification per zone, and to check it, we need to go to the network and find the zone that we want to apply user identification to, and we have done that. So in the inside zone, we have enabled user ID for this subnetwork and we have excluded this IP address. For example, to enable it you need to click go inside configuration for the zone and enable User identification, include what subnetworks you want to enable Use rid for and exclude maybe some IP addresses you don’t want to enable user ID for, usually for PCs that are in the lobby or something like that. Maybe you don’t want to enable user ID for that. Okay, the next thing I need to do is go to my domain controller and check that I have a service account with the required permissions. So let me log on to my domain controller, Palo Alto.
Here is the password. Okay, now the server is ready. So I need to open users’ accounts and computers. So I need to go to Tools and then Active Directory users and computers. In there, I have created a service account called “Pan” or “Pan Agent.” and it’s just further down here. So you can see here that this is the account that I’m using as a service account where the firewall will actually communicate. That’s the agent for the firewall. So if I double-click on that account, you can see the account login is just “pen” at Lab local and the asset password never expires. For example, it needs to be a member of event log readers and server operators. I have enabled myself as an administrator as well. But you don’t really have to. You can just leave it to the event log readers and server operators. It’s part of the Lab Users Group as well. Okay, excellent. So now, after this, I need to go back to my firewall and check that server monitoring is configured correctly. So I need to go to Device, and on the device, I need to go to User Identification. And on the main page, there is user mapping. Just further down, that’s the server monitoring. So we are monitoring this server at this IP address for Microsoft Active Directory.
And you can see it says Connected. To configure it, you just need to click Addendum, which will open this kind of page. So you give it a name, enable it, and then type. You can choose either of these for Microsoft Active Directory for us, but they can be exchanged as either directory or syslog senders. Okay, the transport protocol is WMI, but it could be WMI, WinRE, WinRE https, or http or https, and then that’s the network IP address that we are monitoring for the domain controller. The next thing we need to do is actually join that account as a service account to monitor the server. So if I click on the Palo Alto someplace, device user identification, user mapping, Palo Alto networks, user ID, agent setup, and click on the gear icon here and this is what I configured. So this is the agent the firewall is talking to—some service account inside the domain controller. So the username is Lab Local. Well, log on, Pan, right? domain name, I gave it there, and then the password was Palo Alto. Okay, server monitoring is enabled by default. Every 2 seconds, we monitor the logons to the servers—log in, log off. We can monitor a session and enable that for every 10 seconds if we want to. And the client probe in just to check the IPS are still valid. I have not enabled any of these. So cancel that, and to verify it, we said it’s connected.
And the next thing what are we going to do is we’re going to go to my domain controller, create an account there, just a normal account. And then we’re going to logon from this member, domain member. So if I go to my Windows server, I’m just going to create a user here. So right click on the user new user and I’m going to type it astrituser and the login name is going to be Astrid user as well, right? And password is Palo Alto and I’m going to make it as I can’t change the password so Palo Alto and never expires. Okay? So I created the user, and the user name was Astrid. So if you look at the top, that’s my astringe user, and I’m going to put this user as a member of students. So if I double click on that user and I’ll click it member of and I’ll add student so students as a group, okay? And I’m going to finish that. Now the next thing is that I’m going to go back to this. So the idea is that if I go to monitor here, I should see some traffic from that user. So by default, the source user is not in there. I need to enable it or I need to put that column in.
So by default, it’s like this. So we need to actually add the source user. So if I just click on the arrow down the columns, then source user, we’ll see it there. So what I want to see is an asterisk user here, right? So I’m going to go to my domain member and log on so Astrid user and password is Palo Alto. So I’ll log on as that user. Okay, great. So I have logged in as that user. So if I click on the start, I should see it. That’s me; that’s just the account; I created it. And to see that actually the firewall is getting these users, I’m going to click on the open putty and I’m going to show you command which we need to know how to check whether user mapping is being done. So open patty and the IP address of my management is 192-168-1254 and click open. I’m going to log in as admin. Okay. The command to see whether you have IP-to-user mapping already is show user IP mapping all. And you need to know this command for the exam’s purpose as well. As you can see, it’s already there. So we can see the Astrid user has been known to this IP address. And now I can see the PANIS already known to this IP address. But if I change the user, for example on that, if go and change account so I’ll go and switch user and let me log on as domain number, I’m administrator here.
And now if I go back, once I log in, if I go back and I’ll repeat this command now it will say somebody else has logged in. Right. Before, it was a straight user; now, it’s somebody else. So user IP to user mapping is actually working perfectly. So if I click there and I’ll just switch back to the user logo from here and log back ones the Astra user Palo Alto, check it just quickly. I’m going to check it here the eons not yet. Now he knows. Okay, so he just finished properly logging on. Okay, excellent. So I’m going to generate some traffic here. So if I go to Facebook, for example, and that will generate traffic, the Astrid user is accessing Facebook, and then we can actually make security policies like stopping access to Facebook and so on. Okay, so Facebook.com is now hanging because, probably, I have so many machines running and my machine just can’t cope with all of these. But anyway, I have access to Facebook, so let’s just have a look and see if we have any information. If I update this and you can see already have lab user, lab Astrid user is accessing this site on Facebook or is accessing some sites. So if I go back to that account, I need to refresh this or something because it’s actually not responding.
So I’m going to close it and come back to you when it’s ready. Okay, now it seems like we have access, and that’s right; that’s good. It was hanging on for a little while, but I tried it again, and it seems like it’s working now. So if I go back and I update this, you can see I have lots of, well it should becoming up like access user identification, lab user. So for example, if I do change my account there, and if I go to say, a switch user and I’ll log on Astrid and I generate some traffic that should be saying that Asterisk is generating or Astrid Krasnishi is generating traffic. Okay, what I’m going to do is the same thing. Go and have a look; open Facebook. Hopefully I will get faster there. And I should see some traffic generated by Astrid Krasnik. So I’m going to use something else now. So MSN.com, right, so I’m generating that traffic. So if I go to here, it should say now. If I refresh, it should say Astrid Kasich. There we go. Now I’m generating the traffic from a different account. So right away you can tell the user ID is working there. So what we can do is actually create a security policy on the user ID, not just the IP address. So for example, in 250 you can see the 250 was Asterisk user. And then I logged off, and I logged on to Asterisk Grass Nation.
You can see that in 250 there’s a different user ID, so we can generate a new group policy on the user ID. I’m actually going to create a security policy rule that says if a street user is a student, he’s not allowed to go to Facebook. Okay, but before we actually do that security policy, I’m going to go to objects and create a URL filtering or URL category for Facebook. So I’m going to just add it as a Facebook there that you’re not allowed. So I’m going to click add here and I’m going to create no Facebook and URL list is going to be Facebook.com. Or it could be anything with Facebook, right? So let’s just say that anything with Facebook Okay, so I have a URL category now. No Facebook. So I’m going to create a policy that says, “Well, you shouldn’t access that URL category.” So I’m going to copy this or clone that policy that I already have from inside to outside zone. And I’ll put it before that rule and open that; just change the name. So from in to out, say user ID. And the source is going to be the same from that zone for that network user. Now I’m going to put it as a user student destination. Well, it’s going to be an outside application. I can leave any and in the URL category I’m going to add that I just created no Facebook and under actions I’m going to put it as deny and profile. I’m going to leave everything to none. So I’m going to just put reset this to none and click okay, now this is that okay, any user, any students with this address from this network trying Togo to Facebook URL, it should be denied, right? And I should have something on the board here, right? Okay, so I’m going to commit this, and then we’ll go and test it.
Okay, now the commit has been successfully completed. I’m going to go and test it. So if I go back to that machine, okay, so I’m going to try it again on this user, but this time I’m going to go in incognito mode. So I’ll go to Facebook.com and I’m not getting access. Let me try it on the main page. No, it seems like it’s not working. So it seems like it is doing what we want it to do. Actually, it is working. It seems to do exactly what we wanted to do. So let me try it on the yes, you can seethe Internet Explorer is actually reporting as blocked astray user. Actually, this page has been blocked. Okay, so if I refresh this, you can see it already has 23 hit counts in there. And if I go to monitor and you can see lab Astrid, user no Facebook. And you can see that it says reset both policy deny, policy denied on these ones. Okay, so that’s what you can see from the user ID. We can actually control what this user can access. Okay, great. So now that we’re done with this lesson, I had to pause.
8. 9.8 Lab User-ID
In this video, we are covering PC NSA 210, and this is our Chapter Nine user ID. Now this is the last video of Chapter Nine, which is 9.8 lab user ID. Exciting lab long video, not short, but stick with it is very interesting. Now, User ID first in this lab, we’re going to configure a service account with the required permissions, and we’re going to do that in our domain controller so our firewall will be able to communicate with that service account. We can enable user ID in our security zone, which is going to be our inside zone toward the outside. We’re going to configure an integrated user ID agent. We cannot configure a group mapping, create a security policy rule to use user ID, and then test that security policy rule with user ID. Everything that we did in our lessons, I demonstrated for you, and I have reset everything. So we kind of like starting from scratch. So we have learned to configure user IDs in a four-step process. Each step seems easy, but it’s quite involved. Well, the first step is very easy. So you need to enable user ID by zone. So you just need to go to Zone and enable user identification. And then we have to configure user mapping methods.
So far, we have two mapping methods. First is the integrated agent, which is resident in the firewall, so you can just enable it. And the second one is a Windows agent, which runs on the Windows domain member. But for this, you need to download it from Palo Alto Support Services. So you need to download the software. The third step was to configure a group mapping; this was optional, but it’s recommended because we’re going to get all the groups and group members from the Windows domain controller. So we can add our users into a group and we can apply security policy to the group, rather individual users.
And then the last one is to modify the firewall policy to use usernames or group names. Most likely, we’re going to be using group names. This is our lab topology that we’ll be using to demonstrate user ID for you. First thing is, we’re going to go to this domain controller, which is a Windows 2016 domain controller, and we’re going to create an account. I’m just going to call it PAN Agent for Palo Alto Network Agent. And in here we’re going to give him enough required permissions so our Firewall will be able to communicate with that agent and it will get information from our domain controller. So this agent will be able to have the correct permissions to read the domain controller. And then we’re going to link the agent to the firewall, which is going to be group mapping and user ID mapping. And then on the firewall, we can go to the policies and create a policy. Usually I’m going to use Facebook just to test it, right?
So this user is not allowed one user is not allowed to access the Facebook and the other user will be allowed. So I’m going to create here two users on this domain controller and one group. So we can put these users in groups and apply them to the groups. Anyway, there’s lots of stuff. You’re going to keep up with it. It’s interesting stuff. Okay, so the first thing is that we need to enable user ID identification or user identification per zone. So if I go to the firewall, I’m just going to show you that I have reset everything in our firewall, so everything is back to zero. Even traffic logs and thread logs have been reset. I got nothing configured here but from previous configuration. So I still have the zones and IP addresses and so on. So it’s great. To enable User ID identification per zone, we need to access network and then zones. So you can see I have four zones here. I am in the inside zone. I will enable user identification there. You don’t want to enable the “outside zone,” because then the file will go crazy trying to identify every user on the Internet. Okay, so inside zone and you can see that enabled user identification is not ticked. So if you want to enable that, you just need to check it. And then we have an include list and an exclude list. Include list. It will be like the subnetworks to which you want to apply user ID.
So, for example, say that my network is 1921-681-0424. So now I will enable it in case this zone has more subnetworks; you can just choose which subnetwork’s Use rid you want enabled, and then you can exclude this as well. So whatever you include this, for example, say that within that network I have an IPad dress that I want to exclude. So maybe it’s a PC in the lobby or something that I don’t want users ID there. So, for example, in PC 101, I want to exclude that. And there you go. That’s how you enable User ID per zone—by including and excluding the network and excluded. For example, you can even exclude the whole network if you want. Okay, that first step is done. The second step is to create a service account with the required permissions to run the agent. And this is what we need to do on the Windows domain server. So if I go to my domain server, which is this one here, and I’m going to login, okay, so I’m the administrator in this domain. So I’m going to log on as Palo Alto; it’s my password. and I’m going to open Active Directory.
Users and computers And in there, I’m going to create a service account. So once this is ready, click Tools and then Active Directory users and computers. And this is my domain. And under users, I right-click, and for this user, I’m just going to call it “Pan agent, Palo Alto Network agent,” and for the login name, I’m just going to leave it as “Pan.” And for the password I’m going tout Palo Alto password cannot be changed. So users cannot change the password because the service account and password will never expire. Click “next” and “finish.” Now, this agent or this service account needs my permission. So I’m going to add it to the group as a member of several operators. So server operator, I’ll just write server should find and event log viewers. So the event happened, and that should be fine. Now this is really the recommended privileges you should give, but you can give it administrator, but that might give you, it might give this account abet more privileges than is actually required. I’m going to do that administrator anyway because it’s going to find it quickly. So that’s it; my account is done, my service account is done, and the permissions are done. So now the next thing I need to do is go back to my firewall and add or define the address of the server to be monitored. So I will do that on the device. And then I’ll have a user identification.
And in the user identification, I have a user mapping. And in here, if I scroll a little bit down, I have a server monitoring service, and I’m going to add the server that I’m going to monitor, which is my domain controller, I should say. So on the name, I’m just going to type it as Pan. Server monitor and description Obviously, in production, you put something in our description, and for type, we have four: Microsoft Active Directory, Microsoft Exchange, Redirection, or Syslog Sender. But for us, we’re going to use Active Directory and the transport protocol. We have three options: WMI, Virk HTTP, and Virk RM https.If you use any of these, they will use a Kerberos session key. So without Kerberos, I’m just going to use WMI, and the IP address of my domain controller, which I’m going to monitor, is 1921-6812. Once I’ve done all this and committed, once I configure the rest, the status will be “connected.” So hopefully, fingers crossed, we’re going to get connected there. Sometimes we might have to wait a bit, but let’s see. Okay, so next I’m going to add a service account to monitor the server. So that’s going to be under device, someplace, user identification, user mapping and then Palo Alto networks, user ID, agent setup
.So if I click on the gear icon here, I’m going to edit this. So the agent is setup, while the username is going to be lab local. So that’s the account that’s going to log on. Domain name is going to be lab local, lab local.And the password is Palo Alto. Okay, see, because we use WMI, we don’t need to put the Kerberos server profile here. Server monitoring. If I want to enable it by default, it is enabled for security logs. So event login log out and so on, is going to monitor the service or server every 2 seconds. We can enable a session as well, and this is going to be every 10 seconds; it’s going to ask or find out from the file and print share servers for login, log on, and log off events. I’m not going to do that. And if they’re in, for example, your users might move around or something. And then we can enable the client program, which runs every 20 minutes by default. But okay, this is a test, so I don’t really need to enable any of these. I’ll leave it at default and click okay. And after our commit really I want to expect here connected. Okay, now that the commit has been successfully completed, we can close this and scroll down. We got connected, which is very good. So now the firewall is actually talking to my server account inside the domain controller. So the next thing to do was to actually enable user ID in a security zone.
We did configure a service account with the required permissions, and we configured an integrated user ID agent, and they’re all talking; we saw it connected. Now we’re going to configure group mapping, and that’s group mapping from the LDAP service. So first thing that we’re going to do is actually go to domain controller, create couple users and couple groups. Yeah. So I’m going to create a couple of groups. I’m going to create a student group and a test group. Right, just make it the same account as well and put them on those groups. And then we’re going to look at the group mapping. So the first thing is to actually go to my domain controller and create two groups—well, two users and two groups of the same. So with the same name I should say. So new, say user. And this user is going to have the name “student,” and the log-on is going to be “student” as well. And the password, well, a password is always Palo Alto, easy to remember and user cannot change the password at all. Okay, so then I’m going to create another user, and this user is going to be our test user. Test and password Palo Alto. Okay, same thing; the user cannot change a password, and so on. Now I’m going to create two groups with the same name: students and test. And we’re going to put students in the student group and tests in the test group. Okay? So correct, right-click, and say new group student. Okay. And I’m going to create a new group test as well. Okay, capital T, capital E. Okay, let me try another name. So maybe test one. There we go. So I have a student group test and test one group. So I’m going to put the student in the student group.
So add to group student. Okay. And I’m going to add this test user to one group. Test one: okay, excellent. Now I’m going to go and create group mapping on my firewall. Yes. So if I go to Palo Alto Firewall and someplace in Device, I’m going to enable LDAP server. So right, go further down here under “Service Profile.” We have an LDAP server, and I’m going to create a new one. So add this, and this is going to be Astritldldap, and then the server. Well, this is the server. There’s only one server, which is our 2016 server or domain controller. And the IP address of that is 1921-6812 and the portend the port is three, eight, nine, that means TLS port. Or we could put six, three, six, that’s for SSL port. So that’s the server with that IP address, and we’re using TLS. Now in the server settings, I’m going to put it as Active Directory. And of course we have different choices if you want to use them, but it’s going to be an Active Directory-based distinguished name. This is going to be the DC lab. DC local. So it’s populating itself. And then here I’m going to put it as a poem. That’s my account at Lab local. And the password is going to be “Palo Alto bind timeout search time out and retry.” We’re just going to leave it all at default, and the SSL secure connection is not something we’re going to require. Okay, so that’s going to be our LDAP configuration. Now we need to create a group map or look at the group map. So enough we have the configuration there. So I’ll go to User Identification, and then under User Identification, I have a group map in the settings here.
So I’ll click “Add,” and this is going to be again an LDAP map and server profile. Well, it’s going to be the one that I just created, and you can see it’s already filling the group object and user object, as well as users and groups attributes. Well, we look at these attributes if Firewall can report more than one attribute, but then we have to look at the primary, secondary, and so on. and then a group list. Under the group list, I’m going to use these groups I just created. So I’m going to use a student and test So student and test one. Okay, that’s my group mapping done. So I’m going to commit to that. Okay, now the commit has completed successfully, we can go and test it. We’ve done quite a lot of stuff, and now I’m going to go to my virtual machine and log on with one of the two user accounts.
Well, I’m going to log on with both of the users. So we’re going to see if the Firewalls getting IP, the user name mapping. So I’m going to log on as student first and password Palo Alto. Now that the user has logged in, I’m going to go check whether we have a map. So I’m going to open a pack of putty. Here the IP address of my firewall is 192-168-1254 ands login log on with admin and the passport admin. Okay, so the command to see if you have access to IP mapping is “show user IP user mapping.” Okay, so we can see the firewall has a user-to-IP mapping, which already knows the student has logged on to this IP address. If I go to my machine and just switch the users, So if I go from here, I will log in as this user. And now for the next one, I’m going to log on as “test.” Yeah, so the test was successful and the password was Palo Alto; go back to my firewall and have a look. And you can see now it says test’s firewall already knows it’s got abuser to IP mapping right away. As soon as I logged off as a student, I logged on as a tester. That’s it.
Let me just switch off this one. This is from the previous lesson that we did. Okay, cool. So the next thing I’m going to do is I am actually going to create a policy rule that says, well, the students are allowed, are not allowed to go to Facebook and test department is allowed to test to Facebook. So we’re going to create a URL category for Facebook, which allows the test group Togo to Facebook, but not the student. So that’s the idea. So if I go to object and end of the object, I’m going to create a URL category and I’m going to create a new category called facebook.Facebook. And for this, I’m just going to add Facebook.com. Well, pretty much anything to do with Facebook, I’m going to add its anything with Facebook, that’s it. So now we’re going to create a group policy that says, “Look, if I go to monitor and go to traffic, I already see the source users.” They should be coming up here. We can see there’s something if the source users are accessing something. So let me just go and for example, at the moment I’m connected as tests. So if I just open the browser and navigate somewhere, you’ll see that some traffic is being generated from this user. So I’ll go on Facebook first (facebook.com), and once I access Facebook, then I’ll go to the monitor and we’ll check it there. Okay, let me open the virtual router. It’s not running. I’m closing the machines as they go because it’s taking too many resources from my computer. Okay, that’s my router running. Once that runs, we should be able to access Facebook. Okay, we have generated some traffic. So if I go to the monitor here, I should see the test user. I can do the same for the student user.
See the test user, the firewall already knows that user is accessing. So let me log off as the test user and logon as a student user and do the same thing. Just check that the student can access Facebook at the same time at this moment before we create the policy. So here, I’m just going to access Facebook from this once it loads, okay? Once it’s done, then we’re going to do the policy rule so this video doesn’t become too big or too long. Okay, let me just spell it correctly. Okay, so access to Facebook. So this is the student account. So if I go to my monitor now and refresh this, it should say student. There we go, some students access. Okay, so the idea is that the student should not be able to access Facebook, but the test users are allowed to access it. Sorry. The Facebook. And I already created a URL category that says “Facebook.” So I’m going to create two policy group policies. Well, I’m going to clone it first into our group policy and then rename it to reflect what we’re trying to do. So clone this, and the order matters. So we have to put it before this rule and the name I’m going to change it for this one is going to be students no Facebook. No Facebook. Okay. And the source is going to be inside users from that IP address or that subnetwork users. Now not any users, we’re going to leave it as students, destination, anywhere, application, anything, and the URL category, while Facebook. And the action for this is going to be deny. So I’ll just change this to deny and profile type, we leave it to none. Okay, I’m going to create another one. So I’m going to clone this, which says that it is now going to be for test users. So test users are going to be before the rule, and they should be able to access Facebook. So test. Yes. Facebook.
You can create your own, but this is just for demonstration. So source users, anything from that IP address, sorry, source, and then users. Well, this is going to be for test one, destination, any destination, application and URL category. So this is going to be Facebook again. For these guys, we’re going to say “allow profile.” We’re going to say “none” and click OK. Now, before we actually committed and tested, we needed to know the group mapping. Has it been done? Does the firewall know what groups we have and what members are on those groups? So for that, we need another commander to go to the party. And who is this student? Now for this we need to know show user group mapping state all. So you can see the group mapping was done 793 seconds ago, and the next is going to be in 2807 seconds. It could be that it’s already mapped, or it could be that it’s not mapped. So just to make sure that we need to update this, we can go and change it. So if I go to device and then user identification and then in the group mapping settings, if open this, we can change the group main seconds for seconds, update intervals, so I can leave it to 60 seconds, for example. So every 60 seconds we get new group mapping and click.
Okay, now we are done. We are pretty much done. We’re just going to test it, and if everything works fine, we’ll see some hits here in Deny and some hits here. So I’ll commit it, and then we’ll go and check it. Okay, now the commit has been successfully completed. moment of truth. 2 hours of work We’ll see if it comes to anything. Okay, so I need to go to this user. This is our student user, and the student should not be accessing Facebook. So if I open the new page here and just try to access Facebook and it seems good, it seems that if we can’t access Facebook, try it again. All right, it seems like our policy is working for this user. So let me go to the monitor and then we’re going to check if the test user. Yeah, so if I refresh this, this should get some hit counts here. See, already I’m getting a hit count of 16. We are blocking the student users, and on the monitor, if I go to traffic, that should say some student user going to Facebook. URL category policy denied. Excellent. So the next thing is I’m going to change the user, so I’m going to logon as a test user, and test users should be able to access Facebook without a problem.
So let me log on as a test user. I’m happy they did work because it took so much time—nearly 2 hours with poses and everything. And it comes a moment of truth. Okay, so let me open a browser again because things are working very slowly as so many machines are open at the moment. So Facebook here should work. and it’s working. It’s easy, it’s working, and it’s coming. So if I go there to look at the policies again, the second policy should get some entries now. So this one here is the second one, and as you can see, it’s got 33 there. So the test users are allowed to go to Facebook, while your student users are not allowed to go to Facebook. And we can go to the monitor as well. and we look at the traffic monitoring as well. And you can see the test user access to Facebook and that’s allowed. Okay. But early on, when we did that with the student, that was denied. So, as you can see here, nothing fits further down. I think it’s already gone to the next page. Yeah, Facebook is here; it was denied. Reset both. Okay, excellent. I’m happy they did work, actually. Everything that we planned and user ID, I’m excited.