Professional Documents
Culture Documents
How To Install and Configure PANAgent
How To Install and Configure PANAgent
How To Install and Configure PANAgent
One of the unique attributes of the Palo Alto Networks firewall is the ability to control traffic
based upon usernames and group names. In PANOS 4.0, there are three different server-based
agents that are used to track users:
PanAgent
o User identification for Active Directory
o Agent polls the domain controllers to determine who is logged into what IP, and
sends that information to the PA firewalls
o Discussed in this document
LDAPAgent
o User identification for LDAP servers, such as eDirectory
o Discussed in this knowledge base document:
https://live.paloaltonetworks.com/docs/DOC-1445
TSAgent
o User identification on Terminal Servers/Citrix Servers
o The agent is installed on each terminal server, and sends the username/IP
information to the PA firewalls
o Installation steps are in the PANOS 4.0 Administrators Guide, found on our
support site
For a technical overview of each of these agents, please read the User Identification Tech Note
PANOS 4.0 found at https://live.paloaltonetworks.com/docs/DOC-1807.
This document will give the steps to install and configure the PanAgent for Active Directory,
which from now on will be referred to as the PanAgent.
PANOS 4.0
To determine beforehand:
Determine onto which machine the PanAgent will be installed. That machine must:
o be running Windows XP service pack 2 or higher, or Windows Server 2003
service pack 2 or higher, or Windows Server 2008
o be a member of the domain to be monitored
o have network connectivity to the DCs and to the management port of the PAN
firewall
o should be near the DCs that it will be querying, as it will be polling the DCs very
frequently
Determine which user account will be used by the PanAgent to query the domain. You
can either use a Domain Administrator account, or set up a more restrictive account as
described in Appendix A of this document.
Determine which domain (with corresponding domain controllers) that the PanAgent will
be querying. Note that you need one PanAgent service for each domain. One PanAgent
can handle a maximum of 64,000 users in a domain, and can talk with up to 100 DCs.
PANOS 4.0
3. Install that file, accepting the all the defaults. This installs the software as a service on the
Windows machine.
4. The next step is to edit that service using the services.msc administrative tool. Start the
tool, and look for your new service in the list.
PANOS 4.0
On the Log On tab, specify the username and password of an account that has the ability
to read the domain controller security logs. Refer to Appendix A on page 15 for the steps
to create such an account.
PANOS 4.0
6. In order for the service to run as that user, you must start or restart that service. Use the
General tab to do that now.
7. Close the Services control panel.
8. Start the PanAgent configuration program (Start -> Programs -> Palo Alto Networks > User Identification Agent). In the top-right corner, click Configure.
Domain name- enter the FQDN of the domain (example: acme.com). Do not use
the NetBIOS name.
Port number of your choosing- can be any port number that is not currently used
on this machine. Make sure the local machine does not have a Windows firewall
that is blocking inbound connections on that port.
Domain controllers IP addresses - You should add in ALL the DCs in the
domain here, since users can be authenticated with any DC in the domain. You
can enter up to 10 IP addresses by default, up to 100 if you make a configuration
change.1
Note: the IP at the top of this list is the one and only DC that will be queried for
user and group membership.
Allow list- list of subnets that contain users you want to track.
Ignore list- specific IP addresses that fall into the Allow List range that you do
not want to track. For example, you should enter here the IPs of your Terminal
Servers. (Note that if you want to track users on a Terminal Server, you must
install the PAN Terminal Services Agent on each Terminal Server.)
To allow the agent to talk to up to 100 DCs, edit the config.xml file found in the install directory of the agent. Stop
the agent service, change the file to say <max-dc>100</max-dc>, and start the agent service.
PANOS 4.0
Here is an example:
In the bottom left corner of that same window, there are various timer values that you
may want to adjust after the PanAgent is operational. For now, accept the default values.
Once you are finished, click OK.
10. On the main screen, click on Get LDAP tree button. The PanAgent service will query
the first DC in the list, and retrieve a list of all of the groups in the domain. This will take
a few minutes if the domain is large. Once the groups are retrieved, information will
appear:
PANOS 4.0
11. It is best practice to filter which AD groups will be tracked and forwarded to the PA
firewall. You can configure this using the Filter Group Members and Ignore Groups
buttons are in the top right-corner of the main screen. You will want to configure one or
the other, but probably not both.
Use Filter Group Members if you have a large number of groups in the domain,
and you want to specify exactly which groups the PanAgent will look for in the
domain security logs.
Use Ignore Groups if you want the PanAgent to pay attention to all of the AD
groups, but ignore a handful of those groups.
Click on Filter Group Members, and the screen below appears. Select the AD groups
you want to control using the PAN firewall.
Only the groups in the right-hand column will appear in the policy configuration screen
on the PAN firewall, as shown here:
PANOS 4.0
Best practice: you should include domain users in the list of filtered groups, since the
PAN Agent only keeps track of users that are members of the groups listed on the Filter
Groups page.
12. You can monitor the agent status window in the top left corner of the GUI.
If you select a particular group from that pull-down list, the users who are a member of
that group are retrieved and displayed in the text box beneath.
PANOS 4.0
14. After the agent has read all the security groups, it will read through the 50,000 most
recent log entries in each Domain Controllers security log, searching for login events2.
(Again, this may take a while.) The PanAgent will create list of usernames and associated
IPs. Click on Get All to see the IP to username mappings.
15. If you have a particular IP address in mind, and want to find out which user maps to that
IP, you can enter that IP to the left of the Get IP Information button. Click that button,
and the name associated with that IP will appear.
16. To confirm that the server running the PanAgent is listening on the port you configured
in a previous step, use the following command on the Windows machine:
netstat an | find xxxx
where xxxx is the port number you configured earlier. Here is example output, showing
that the UserID agent is in fact listening on port 9999:
Event IDs on Windows 2000 & 2003: 672,673,674. Event IDs on Windows Server 2008: 4624,4768,4769,4770.
PANOS 4.0
19. You must also enable user identification on each zone that you want to monitor. On the
Network tab -> Zones page, edit the appropriate zone. In the bottom left corner of the
zone properties page, check the box to Enable User Identification.
20. The firewall is now configured to talk to the PanAgent. Commit your changes at this
time.
PANOS 4.0
10
21. To confirm everything is configured properly, bring up a CLI to the firewall, and execute
this command:
show user pan-agent statistics
Things are working properly if you get output similar to below:
If you see the message No pan-agent configured, make sure you have committed your
configuration.
22. Now view the list of usernames and IPs that the firewall has received from the PanAgent,
using this command:
show user ip-user-mapping
If there is a long list of users, and you want to determine if a particular user (example:
jpage) is in the list, use this command:
show user ip-user-mapping | match jpage
Or you can search the output for a particular source IP:
show user ip-user-mapping | match 10.1.2.3
PANOS 4.0
11
23. You can view the defined AD usernames and associated groups using:
show user pan-agent user-IDs
In this example, the AD groups are being filtered to only keep track of the domain
users group.
PANOS 4.0
12
Part 3: Testing
24. At this point, you can test by logging into the domain as a regular user on machine in the
IP address range you specified to be monitored by the agent. After a few minutes,
usernames will appear in the traffic logs (Monitor tab -> Logs -> Traffic) as well as in
the ACC drill-downs of particular applications.
25. On the firewall, go to the Policies tab-> Security screen, and select one of the policies.
Edit the value in the Source User column. In the window that appears, you will see a
listing of Active Directory Groupsthese were pulled from the domain. Recall that if
you filtered the groups, only the groups you specified will appear here.
If there is a reply from the Windows machine (as shown above), you know that there isnt
another device blocking the communication.
27. For testing purposes, you can clear the logged-in user database on the PAN firewall,
either for a single-IP, or the complete database:
clear user-cache ip 1.1.1.9
clear user-cache all
PANOS 4.0
13
29. The PanAgent maintains a log file which is very useful for troubleshooting. The log file
can be viewed using File -> Show Logs.
To enable detailed information on the PanAgent operation, go to File -> Debug and
select Verbose. The logs will now display more detailed messages.
PANOS 4.0
14
Appendix A
Creating a Domain Account for use with PanAgent Service
The PanAgent must have the ability to read the security log on the domain controllers. In
particular, the user right Manage auditing and security log must be given to that account.
The Domain Admins group has that user right by default. If you want to create an account
that has more restrictive access than Domain Admins, follow these steps.
Part 1: Creating the New Account, and Assigning the User Right
1. Login to a domain controller as an administrator. Start Active Directory Users and
Computers. In an OU that is appropriate, create a new account. You can give it any name
youd like.
Assign a password to the account, and uncheck the box user must change password at
next logon.
PANOS 4.0
15
2. Now Edit the Default Domain Controller Security Policy, found under Programs ->
Admin Tools. Drill down to Security Settings -> Local Policies -> User Rights
Assignment. You will see the screen below.
3. In the right-hand pane, locate the user right Manage auditing and security log. Doubleclick that entry. You will see that only Administrators have that user right.
PANOS 4.0
16
5. Click Browse.
6. Enter the username of the account you just created, and click on Check Names to confirm
that account exists. The account name will become underlined.
7. Click Ok two times. The user right will now look like this:
8. Close that screen, as well as exit from the Default Domain Controller Security Policy
tool.
PANOS 4.0
17
9. In order for this policy to take effect immediately, run this command on each domain
controller in the domain:
If you do not run this command on each DC, it will take up to 60 minutes for this change
to be propagated onto each DC.
PANOS 4.0
18
11. In the PanAgent Properties window, select the Security tab, and click on the Advanced
button. The window will be similar to the following:
12. Click Add, and enter the name of the new account. Click Check Names to confirm that
you spelled the account name correctly.
PANOS 4.0
19
14. In the Permission Entry for PanAgent window, check the box to Allow Full Control. All
the boxes below it will become checked. Click Ok. The Advanced Security Settings for
PanAgent window will now have a new entry at the top of the list:
20
18. Confirm that the new user can view the events in the security log.
19. Use View -> Find to search for login events (event ID 672 on Windows 2000/2003,
event ID 4624 on Windows 2008). You should see numerous events of that type.
PANOS 4.0
21
20. (OPTIONAL) If you want to further restrict this account from being able to clear the
security log, refer to Microsoft KB 323076.
PANOS 4.0
22
Part 4: Configuring the PAN Agent Service to Use the New Account
21. At this point, you can login to the server that is running the PAN PanAgent, and
configure the PanAgent service to use the newly-created account.
22. Restart the service so that it will use the new account.
23. Confirm that you can view the troubleshooting log by starting the PanAgent GUI, and
going to File -> Show Logs.
If the log file does not exist, make sure you completed the steps in part 2 of this appendix.
PANOS 4.0
23