Installation Steps for PAN User-ID Agent



Similar documents
Configuring User Identification via Active Directory

How to Configure Captive Portal

Integrating LANGuardian with Active Directory

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Single Sign-On in SonicOS Enhanced 5.6

DC Agent Troubleshooting

freesshd SFTP Server on Windows

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Avatier Identity Management Suite

Joining an XP workstation to a domain Version 1.00

Video Administration Backup and Restore Procedures

Using Logon Agent for Transparent User Identification

SONICWALL SONICOS ENHANCED 5.6 SINGLE SIGN-ON

MobileStatus Server Installation and Configuration Guide

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Setting up an MS SQL Server for IGSS

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Active Directory Integration

Installation Guide v3.0

ILTA HANDS ON Securing Windows 7

Using RADIUS Agent for Transparent User Identification

User-ID. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

qliqdirect Active Directory Guide

User-ID Configuration

Network DK2 DESkey Installation Guide

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

How To - Implement Single Sign On Authentication with Active Directory

Migrating MSDE to Microsoft SQL 2008 R2 Express

Mapping ITS s File Server Folder to Mosaic Windows to Publish a Website

Download/Install IDENTD

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

FlexSim LAN License Server

Reference and Troubleshooting: FTP, IIS, and Firewall Information

How to Remotely View Security Cameras Using the Internet

Contents. Platform Compatibility. Directory Connector SonicWALL Directory Services Connector 3.1.7

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

User-ID Best Practices

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

Configuring IBM Cognos Controller 8 to use Single Sign- On

PriveonLabs Research. Cisco Security Agent Protection Series:

Deploying System Center 2012 R2 Configuration Manager

System Administration and Log Management

SchoolBooking LDAP Integration Guide

Test Case 3 Active Directory Integration

Managing User and Computer Accounts

How To Remotely View Your Security Cameras Through An Ezwatch Pro Dvr/Camera Server On A Pc Or Ipod (For A Small Charge) On A Network (For An Extra $20) On Your Computer Or Ipo (For Free

escan SBS 2008 Installation Guide

IIS, FTP Server and Windows

Single Sign-On in SonicOS Enhanced 5.5

ECA IIS Instructions. January 2005

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

How to Logon with Domain Credentials to a Server in a Workgroup

CRM Migration Manager for Microsoft Dynamics CRM. User Guide

Configuring PA Firewalls for a Layer 3 Deployment

FTP, IIS, and Firewall Reference and Troubleshooting

User Identification (User-ID) Tips and Best Practices

Configuring MailArchiva with Insight Server

Using Remote Web Workplace Version 1.01

Using DC Agent for Transparent User Identification

Group Management Server User Guide

Hands-On Microsoft Windows Server 2008

NETASQ ACTIVE DIRECTORY INTEGRATION

Pearl Echo Installation Checklist

Installing Policy Patrol on a separate machine

Dolphin Ocean Server and Dolphin Mobile Client Installation and Configuration instructions

How To Use Senior Systems Cloud Services

CruzNet Secure Set-Up Instructions for Windows Vista

Information Services. Accessing the University Network using a Virtual Private Network Connection (VPN), with Windows XP Professional

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Step by step guide for connecting PC to wired LAN at dormitories of University of Pardubice

DIGIPASS Pack for Citrix on WI 4.5 does not detect a login attempt. Creation date: 28/02/2008 Last Review: 04/03/2008 Revision number: 2

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

1.6 HOW-TO GUIDELINES

Changing Passwords in Cisco Unity 8.x

Managing Users, Computers, & Groups

Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

ContentWatch Auto Deployment Tool

Synchronizer Installation

enicq 5 System Administrator s Guide

How To Use Exhange On Outlook On A Pc Or Macintosh Outlook 2007 On Your Pc Or Ipad (For Windows Xp) On Your Ipad Or Ipa (For Your Windows Xp). (For A Macintosh) On A

National Fire Incident Reporting System (NFIRS 5.0) Configuration Tool User's Guide

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

Configure your firewall for administrative access via RADIUS authentication

Web-Access Security Solution

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

NETASQ SSO Agent Installation and deployment

Spector 360 Deployment Guide. Version 7

CONNECT-TO-CHOP USER GUIDE

NovaBACKUP Central Management Console

How to move an IDENTIKEY Authentication Server with embedded PostgreSQL DB to a new machine with new IP address?

PLEASE NOTE: The client data used in these manuals is purely fictional.

Configuring WPA2 for Windows XP

Setup non-admin user to query Domain Controller event log for Windows2003

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Transcription:

Installation Steps for PAN User-ID Agent If you have an Active Directory domain, and would like the Palo Alto Networks firewall to match traffic to particular logged-in users, you can install the PAN User-ID Agent. The User-ID agent will query the specified domain controllers, searching the security logs for particular event IDs, and use that information to create a database of currently logged in users and their associated IPs. That database of information is then pushed to the PAN firewalls, where it is used for policy enforcement, and traffic logging. Note that PANOS 3.0 now supports tracking users on Terminal Servers and Citrix Servers. To do this, you must install the Terminal Server Agent on the TS/Citrix server; refer to the PANOS 3.0 Administrators Guide for instructions. To determine beforehand: Determine onto which machine the User-ID Agent will be installed. That machine must: o be running Windows XP service pack 2, or Windows Server 2003 service pack 2, or Windows Server 2008 o be a member of the domain to be monitored o have network connectivity to the DCs and to the management port of the PAN firewall o should be near the DCs that it will be querying Determine which user account will be used by the User-ID Agent to query the domain. You can either use a Domain Administrator account, or set up a more restrictive account as described in Appendix A of this document (turn to page Appendix A11). Determine which domain (with corresponding domain controllers) that the User-ID Agent will be querying. Note that you need one User-ID Agent for each domain. One User-ID Agent can handle a maximum of 64,000 users in a domain. Part 1: Installing and Configuring the User ID Agent 1. Login to the PC that you will use to run the User-ID Agent. For this initial installation, login as a domain administrator. 2. Download the latest version of the User Identification Agent (PanAgent.msi) from https://support.paloaltonetworks.com. PANOS 3.0.0 1

3. Install that file, accepting the all the defaults. This installs the software as a service on the PC. 4. You will now configure the User-ID Agent service to run under a different account. Bring up the Services administrative tool, services.msc. 5. In the list of services, edit the PanAgentService. You will see this screen: On the LogOn tab, specify the username and password of an account that has the ability to read the domain controller security logs. Refer to Appendix A on page 11 for the steps to create such an account. In this example, the account is called PANuserid, in the acme domain. 6. In order for the service to run as that user, you must start or restart that service. Use the General tab to do that now. Close the Services control panel. PANOS 3.0.0 2

7. Start the User-ID Agent configuration program (Start -> Programs -> Palo Alto Networks -> User Identification Agent). In the top-right corner, click Configure. On the configuration screen, fill in the following fields: Domain name- enter the FQDN of the domain (example: acme.com) Port number of your choosing- can be any port number that is not currently used on this machine. Make sure the local machine does not have a Windows firewall that is blocking inbound connections on that port. Domain controllers IP addresses - You should add in ALL the DCs in the domain here, since users can be authenticated with any DC in the domain. You can enter up to 100 IP addresses. Allow list- list of subnets that contain users you want to track. Ignore list- IP addresses of machines you do not want to track. Here is an example: In the bottom left corner of that same window, there are various timer values that you may want to adjust after the User-ID agent is operational. For now, accept the default values. Once you are finished, click OK. PANOS 3.0.0 3

8. (OPTIONAL) On the main page of the User-ID Agent, you can specify which AD groups you do or do not want to forward to the PAN firewall. The Filter Group Members and Ignore Groups buttons are in the top right-corner of the main screen. You will want to configure one or the other, but probably not both. Use Filter Group Members if you have a large number of groups in the domain, and you want to specify exactly which groups the User-ID Agent will look for in the domain security logs. Use Ignore Groups if you want the User-ID Agent to pay attention to all of the AD groups, but ignore a handful of those groups. Click on Filter Group Members, and the screen below appears. Select the AD groups you want to control using the PAN firewall. Note that only the groups in the right-hand column will appear in the policy configuration screen on the PAN firewall, as shown here: PANOS 3.0.0 4

9. On the main screen, click on Get LDAP tree button. The User-ID Agent service will query the domain and retrieve a list of all of the groups in the domain. This will take a few minutes if the domain is large. Once the groups are retrieved, information will appear like below: 10. You can monitor the agent status window in the top left corner. Possible status codes: Connection Failed Please start the PanAgent service first Reading domainname\enterprise admins Membership No errors 11. Click on Get Groups, and a list of domain groups will appear in the pull-down list. PANOS 3.0.0 5

12. After the agent has read all the security groups, it will read through the 50,000 most recent log entries in each Domain Controller s security log, searching for login events 1. (Again, this may take a while.) The User ID Agent will create list of usernames and associated IPs. Click on Get All to see the IP to username mappings. 13. If you have a particular IP address in mind, and want to find out which user maps to that IP, you can enter that IP to the left of the Get IP Information button. Click that button, and the name associated with that IP will appear. 14. To confirm that the server running the User-ID agent is listening on the port you configured in a previous step, use the following command on the PC: netstat an find xxxx where xxxx is the port number you configured earlier. Here is example output, showing that the UserID agent is in fact listening on port 9999: 1 Event IDs on Windows 2000 & 2003: 672,673,674. Event IDs on Windows Server 2008: 4624,4768,4769,4770. PANOS 3.0.0 6

Part 2: Configuring the firewall to communicate with the User-ID Agent 15. Login to the PAN firewall as admin. Go to Device tab -> User Identification. 16. In the left column, Add the IP address and port of the User-ID Agent. Here is an example: 17. You must also enable user identification on each zone that you want to monitor. On the Network tab -> Zones page, edit the appropriate zones (example: tapzone). In the bottom left corner of the zone properties page, check the box to Enable User Identification. 18. The firewall is now configured. Commit your changes at this time. 19. To confirm everything is configured properly, bring up a CLI to the firewall, and execute this command: show pan-agent statistics PANOS 3.0.0 7

You may get this output, which probably means that you haven t committed: Or you may get this output, which indicates things are working properly: 20. You can view the defined AD usernames and associated groups using: show pan-agent user-ids PANOS 3.0.0 8

Part 3: Testing 21. At this point, you can test by logging into the domain as a regular user, on machine in the IP address range you specified to be monitored by the agent. After a few minutes, usernames will appear in the traffic logs (Monitor tab -> Logs -> Traffic) as well as in the ACC drill-downs of particular applications. 22. On the firewall, go to the Policies tab-> Security screen, and select one of the policies. Edit the value in the Source User column. In the window that appears, you will see a listing of Active Directory Groups these were pulled from the domain. Recall that if you filtered the groups, only the groups you specified will appear here. Part 4: Troubleshooting Hints 23. You can view the currently-logged in users using: debug dataplane show user all If there is a long list of users, and you want to determine if a particular user (example: jpage) is in the list, use this command: debug dataplane show user all match jpage Or you can search the output for a particular source IP: debug dataplane show user all match 172.16.1.14 PANOS 3.0.0 9

24. For testing purposes, you can clear the logged-in user database on the PAN firewall, either for a single-ip, or the complete database: debug dataplane reset user-cache ip 1.1.1.9 debug dataplane reset user-cache all To re-establish the connection with the User-ID Agent, run this command: debug device-server reset pan-agent all 25. Ignoring Service Accounts Some customers have batch files that execute after a user logs in, and these batch files run as a different AD account. That service account may appear in the User-ID Agent user database. If that is the case, you can tell the User-ID Agent to ignore that particular user account. To do this, create a file called ignore_user_list.txt in the directory in which the User-ID Agent was installed (typically c:\program Files\Palo Alto Networks\PanAgent). Put in that file the name of the service account that you want the User-ID Agent to ignore. 26. The User-ID Agent maintains a log file which is very useful for troubleshooting. The log file can be viewed using File -> Show Logs. To enable detailed information on the User-ID Agent operation, go to File -> Debug and select Verbose. The logs will now display more detailed messages. PANOS 3.0.0 10

Appendix A Creating a Domain Account for use with PanAgent Service The User-ID agent must have the ability to read the security log on the domain controllers. In particular, the user right Manage auditing and security log must be given to that account. The Domain Admins group has that user right by default. If you want to create an account that has more restrictive access than Domain Admins, follow these steps. 1. Login to a domain controller as an administrator. Start Active Directory Users and Computers. In an OU that is appropriate, create a new account. You can give it any name you d like. Assign a password to the account, and uncheck the box user must change password at next logon. PANOS 3.0.0 11

2. Now Edit the Default Domain Controller Security Policy, found under Programs -> Admin Tools. Drill down to Security Settings -> Local Policies -> User Rights Assignment. You will see the screen below. 3. In the right-hand pane, locate the user right Manage auditing and security log. Doubleclick that entry. You will see that only Administrators have that user right. PANOS 3.0.0 12

4. Click Add User or Group. 5. Click Browse. 6. Enter the username of the account you just created, and click on Check Names to confirm that account exists. The account name will become underlined. 7. Click Ok two times. The user right will now look like this: 8. Close that screen, as well as exit from the Default Domain Controller Security Policy tool. PANOS 3.0.0 13

9. In order for this policy to take effect immediately, run this command on each domain controller in the domain: If you do not run this command on each DC, it will take up to 60 minutes for this change to be propagated. 10. To perform an initial test, logout of the DC, and log back into the DC as the new user (PanUserID). 11. While logged in as the new user, start event viewer (hint: from a command prompt, you can type eventvwr.msc.) 12. Confirm that the new user can view the events in the security log. PANOS 3.0.0 14

13. Use View -> Find to search for login events (event ID 672 on Windows 2000/2003, event ID 4624 on Windows 2008). You should see numerous events of that type. 14. (OPTIONAL) If you want to further restrict this account from being able to clear the security log, refer to Microsoft KB 323076. 15. At this point, you can login to the server that is running the PAN User-ID agent, and configure the PanAgent service to use the newly-created account. PANOS 3.0.0 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information