4. User-ID Flow
A combination of
methods are used to
find User and Group
information and map
those Users to session
source IP address(es)
5. User-ID Session Information
• Each session contains source IP address and App-ID(s)
• User-ID maps a user name to the source IP address
• Security Policy can then use source user, source IP, and
App-ID as match criteria
Session from
172.16.19.10
contains uTorrent!!!
Which user is
logged in at
172.16.19.10???
8. Enumerate Users and Groups
• Firewall accesses the directory via LDAP
-
Find specific users
-
Find groups and group membership
-
Maintain User-to-Group Mapping
Domain Controllers
17. Remember, by default the firewall directly through the MGT
port accesses the directory via LDAP
Domain Controllers
Select the check box if the User-ID
Agent is to be used as a LDAP
proxy instead of the firewall
connecting directly to the directory
service.
22. Install Windows agent in any member server
• Local administrator
account
• Log on as service
• For Win2K8, Add the
service account user to
the “Event Log Reader”
and “Server Operator”
built in local security
groups in the domain.
• For Win2K3, the user
right “Manage auditing
and security log” must
be given to that
account.
23. Server Monitor Tab
How often new user
logins are detected by
reading the security log
on the AD server, 1
second default.
24. AD Security Logs
• By default Active Directory records the Username and IP
address of successful login events
• Agent must have rights to read the security log
Domain Controller 1
User-ID Agent
Domain Controller 2
25. AD Security Logs
• On Windows 2003 DCs:
-
672(Authentication Ticket Granted, which occurs on the logon
moment),
-
673(Service Ticket Granted)
-
674(Ticket Granted Renewed which may happen several times
during the logon session)
• On Windows 2008 DCs:
-
4768(Authentication Ticket Granted)
-
4769(Service Ticket Granted)
-
4770(Ticket Granted Renewed)
26. AD Security Logs
• The mappings will be maintained for a configurable time
out, which is recommended to be set to half the DHCP
lease time used in the environment.
• Client systems in an AD domain using the default
configuration will attempt to renew their tickets every 10
hours.
27. Server Monitor Tab
How often additional user →
IP address mappings are
derived by reading the
session table of active
resources on the AD server,
10 second default
28. Shared Server sessions
• When AD users connect to printer or file shares, the server
logs the user name and IP address.
• Will only refresh known User/IP mappings
• The agent must have rights to view the current open
sessions on the Domain Controller
• The agent will require Server Operator privileges to read
the session table.
User-ID Agent
Shared Server
29. Client Probing
How often the agent will
issue WMI/NETBIOS
queries to desktops, 20
minute default.
30. WMI Query
• If no mapping can be achieved with passive methods, the
Agent switches to active methods
• WMI queries can be sent to workstations to find users
-
Requires WMI be enabled on each system
User-ID Agent
31. WMI Query
• Each learned IP will be probed once per interval period.
• When receives an IP address that has no user data
associated with it, the firewall will send the IP to all the AD
agents configured and will request them to probe in order
to determine the user.
• This request will be added to the queue along with the
known IP addresses waiting to be polled. If the Agent is
able to determine the user IP based on the probe, the
information will be sent back to the firewall.
32. WMI Query
• The underlying WMI query that is sent can be simulated
with the following command, where remotecomputer would
be the IP address of the system being probed:
wmic /node:remotecomputer computersystem get username
33. Cache Tab
How long entries in the IP to
username cache kept by the agent
are valid. Current entries can be
viewed from the main User
Identification Agent Screen under
IP to Username Information, 45
minutes default.
The user ID cache timeout on the Windows agent only dictates
how long the mapping will live on the Agent itself. The firewall
will timeout all ip mappings in 60 minutes.
37. Server Monitor
How often additional user →
IP address mappings are
derived by reading the
session table of active
resources on the AD server,
2 second default
38. How often the agent will
issue WMI queries to
desktops, 20 minute default.
39. Specify the collector name
if you want this firewall to
act as a user mapping
redistribution point for other
firewalls on your network.
The collector name and
pre-shared key are used
when configuring the UserID Agents on the firewalls
that will pull the user
mapping information.
Device -> user
Identification -> User-ID
Agents
41. User Data Redistribution
• Firewalls can act as User Agents to each other for IP
Address mapping
• Enabled on interfaces as part of the interface management
profile
• Redistributes address mappings learned locally
-
Will redistribute Captive Portal and Global Protect users
-
Does not redistribute mappings learned from other agents
Windows
Server
UID Agent
GlobalProtect
Agent
42. Scaling to complex environments
Large / Distributed
Global Sites
DC’s in every location
Many AD domains or forests
Hundreds of Firewalls
Non AD
RADIUS Group based
Apple Open Directory
Other LDAP
Subscriber DB
Scores of VSYS
Solutions
Hardware Agents
Dedicated HW Agents
MS Log Forwarding
Solutions
API – Probably over SYSLOG
43. PAN-OS Agent vs. Software Agent
• Both read security logs from servers
• Hardware PAN-OS agent much more efficient for
bandwidth
Just User - IP
<< X MB
Full Security Log
X MB of data
Just required event ID’s
.05X MB of data
44. Microsoft Log forwarding
• Simplifies the DC environment for the Agent
• Great for rapidly expanding networks where tracking new
DC’s is difficult
• Built into Windows
Log forwarding
Agent reads logs
DC1
DC2
Member server
DC3
46. User-ID XML API
• API allows user data to be pulled from other sources on
the network
• Defines a XML payload sent to User-ID over SSL
•A script on an external
device uses the User-ID
API to send updates to
User-ID
User-ID updates
User-to-IP Mapping
on the firewall
47. Enabling User-ID Agent for User-ID API
• XML-formatted data is sent to the User-ID Agent
• Software agents must be
enabled to accept XML
API requests that then
sends it to the firewall via
SSL
• The PAN-OS agent is
always enabled
• A User-ID Agent
permission can be used to
create an administrator
account to accent XML API
connections
48. Additional User-ID API XML Request Options
<login>
Entry Timeout
<entry name=”domainuid1” ip=”10.1.1.1” timeout=“20”>
<groups>
<entry name=“finance-group”>
<members>
<entry name=”domainuid1”>
Local Group
Membership
<entry name=”domainuid2”>
</members>
</entry>
</groups>
<entry name=”domainuid1” ip=”10.1.1.1” timeout=“20”>
HIP Profile
Information
<hip-report>
…
</hip-report>
49. Use Case : Catholic Education SA
https://github.com/cesa
netwan/scripts/wiki/CE
Filter-UID-RADIUSscript
Microsoft AD,
DHCP and NPS
Microsoft AD,
DHCP and NPS