User-ID Pre-work and Lab

In this lab you will:

Setup the firewall to get LDAP from your AD DS
Setup the firewall to directly query DC server to monitor for UID mappings and Configure
Syslog listener
Setup the VM based UID Agent to query DC server

Prerequisite Work
You must complete the Lab In a Box
Lab A- VM-Series image setup
Lab B- Windows 7 & Windows 2012 image setup
Install Kiwi SyslogGEN on Windows 2012 Image
Pre-work: Kiwi SyslogGEN

1. Download Kiwi SyslogGen from http://www.kiwisyslog.com/downloads.aspx

a. Scroll to the bottom of the page and its under Free Products and Utilities
2. Unzip the Kiwi SyslogGen on your Windows 2012 image
3. Install Kiwi SyslogGen on your Windows 2012 image using Kiwi_SyslogGen-2.2.0-
setup
a. Follow the prompts and use default prompts
Part 1. Setup the firewall to get LDAP from your AD DS

1. In the firewall GUI, make sure that user-identification is enabled on the l3-trust zone
(Network tab-> Zones).

2. In the Windows 2012 image, use Active Directory Users and Computers to create a new
account called panagent. Create it in acme.com-> Users container. Assign a password
you will remember, and do not force the user to change the password at next logon. After
creation of the account, edit the properties of the account. Assign the account to be a
member of two additional groups: Event Log Readers, Server Operators and Distributed
COM Users:

Note that the panagent account will provide two functions for us:
read all the groups (via Domain Users)
read the security logs (via Event Log Readers and Distributed COM Users)
3. By default, all traffic that orignates from the firewall (such as NTP, Palo Alto Updates,
radius, syslog, etc..) will be sourced from the management interface. On the firewall
GUI, adjust LDAP traffic to be sourced out of the ethernet1/2 interface. This can be
adjusted via the Service Route Configuration. On your firewall GUI, go to Device ->
Setup -> Services -> Service Route Configuration. On the IPv4 tab, edit the LDAP
service to use ethernet1/2:

4. In the firewall GUI, go to Device tab -> Server Profiles->LDAP. Add a new server from
which to retrieve the group mappings. Match the configuration below, using the panagent
account and password you configured above.
Make sure to uncheck the box for SSL! SSL will fail as we have not setup
certificates on the DC

This configuration points to the top of the domain tree structure, therefore all users and
groups will be retrieved.
5. In the firewall GUI, go to Device tab -> User Identification-> Group Mapping
Settings. Add a new server as follows:

After you select the server profile, accept all the defaults that appear.
Commit the configuration.

6. In the firewall GUI, go to the System log, and look for any events with ( subtype eq
userid ). This is the event message you want:

Here are some possible errors and fixes:

For the above error, make sure you have the proper service route configured. Also make
sure the clocks are set properly.

For the above error, make sure the panagent user exists on the DC.

For the above error, make sure you do NOT have SSL enabled on the LDAP config.
7. Now you will specify what users/groups you want to be able to retrieve from LDAP . Go
to Device tab -> User Identification-> Group Mapping Settings. Edit the server you
 previously added. Go to the Group Include List tab. Expand the tree on the left. (The
tree should expand with no errors since you previously confirmed the LDAP server was
connected.) On the left, expand cn=users to locate domain users. Click + to move the
domain users group to the right-hand column.

8. Commit the configuration.

Verifying Group Mapping
9. On the VM-Series console, run this command to confirm the group mapping status:
show user group-mapping state all

You should see the group you specified at the bottom of the output. Confirm group
mapping is working before proceeding.
Part 2. Setup the firewall to directly query DC server to monitor for
UID mappings and Configure Syslog listener

10. Now that group mappings are working correctly, you will configure username to IP
mapping. The first method will configure the native firewall agent to query the DCs
security logs directly (no separate User-ID Agent required) using WMI Authentication. On
your firewall GUI, go to Device tab -> User Identification-> User Mapping, and edit the
very top section called Palo Alto Networks User ID Agent Setup. Match this screen:

There is no need to modify any other settings on the other tabs but feel free to look
around. Close the Palo Alto Networks User ID Agent Setup window.

11. You will now need to give the correct WMI permissions on the DC by adding the user
ACME\panagent to the CIMV2 Namespace. Do the following on your Windows 2012
domain controller:

a) Click Start > Windows Power Shell > type wmimgmt.msc

b) In the console tree, right-click WMI Control, and then click Properties.

c) Click the Security tab

d) Expand Root and select CIMV2. Click on the Security box on the bottom right.

e) Add the user panagent and assign Allow Permissions to the following: Enable
Account, Remote Enable, and Read Security.

12. In the firewall GUI, on the Device -> User Identification -> User Mapping screen, in
the middle section called Server Monitoring, you will add the DC to monitor. Add a
new server as follows:
 In a customer deployment, the customer will need to add ALL the DCs in the domain to
this list, as users can authenticate with *any* DC.
13. Commit the config.

14. In the firewall GUI, confirm on the Device tab -> User Identification -> User Mapping
screen, under Server Monitoring, the status is connected:

If there it is not connected, check the system log, and make sure you configured the
correct WMI permissions on the DC (previous step).

Verifying username to IP mappings (firewall -> DC method)

15. Login to Windows 7 as acme\user1. Start a continuous ping to the Internet (ping t
4.2.2.2). Also bring up some web pages.

16. From the VM-Series console, run this command to get a list of all the user-IDs and IPs
has obtained:
show user ip-user-mapping all
If nothing is showing up, make sure the VM-Series and Windows 2012 server clocks are within
10 minutes of each other.

17. In the firewall GUI, go to the traffic log and look for values in the Source User column:

18. Logout of the Windows 7 desktop, and log in as user2 to the domain. Generate ping
and web-browsing traffic.
19. View the user mapping from the firewall CLI, and you will see that user2

20. View the traffic logs to also confirm that user2 is now associated with the ping and web-
browsing traffic.
Transition

21. Now we will configure the syslog listening. Open Agent setup from Device>User
Identification>User Mapping - User ID Agent Setup and go to the Syslog Filters tab.
22. Click on Add and we will create a custom Syslog Parse Profile using Regex Identifier.
The example Syslog provided comes from Cisco ISE commonly used by our
customers.

Event Regex: CISE_RADIUS_Accounting

Username Regex: (?<=User-Name=)([a-zA-Z0-9\_]+)
(?<=Framed-IP-Address=)([A-F0-9a-f:.]+)
23. Now we will create a Syslog Server Monitoring profile for the Kiwi SyslogGen. From
Device>User Identification>User Mapping in middle Click add under Server Monitoring.
From here we will select
a) Type Syslog Sender
b) the IP from Windows 2012 Image
c) UDP for connection type
d) Select Cisco-ISE filter
e) Set default netbios domain name

24. Next you need to configure your Interface Mgmt profile for your L3-trust interface to
enable User-ID Listener UDP
25. Commit changes

26. From Windows 2012 Image, Run Kiwi SyslogGen

a) Target IP Enter L3-Trust IP for Firewall
 b) Transport Syslog UDP
c) Destination port 514
d) Message text to send : MultiLine text message and paste below Syslog Message
e) CISE_RADIUS_Accounting 0000002889 2 0 2016-01-27 12:24:05.139 -05:00
0116853750 3001 NOTICE Radius-Accounting: RADIUS Accounting stop
request, ConfigVersionId=28, Device IP Address=10.1.254.156,
RequestLatency=2, NetworkDeviceName=panlab-ise, User-Name=user2, NAS-
IP-Address=10.1.254.156, NAS-Port=13, Framed-IP-Address=192.168.45.65,
Class=CACS:0a01fe9c0000a16e56a8f673:usadc-nat13/242692834/4438931,
Called-Station-ID=10.1.254.156, Calling-Station-ID=e8-80-2e-e4-3b-e2, NAS-
Identifier=panlab-ise, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-
Octets=156191, Acct-Output-Octets=616728, Acct-Session-
Id=56a8f673/e8:80:2e:e4:3b:e2/23988, Acct-Authentic=RADIUS, Acct-Session-
Time=1732, Acct-Input-Packets=1317, Acct-Output-Packets=1098, Acct-
Terminate-Cause=Idle Timeout, undefined-52=
f) Hit send

g) From CLI on firewall run show user ip-user-mapping all type SYSLOG and youll
see your new entry
eric-admin@usats-vm1(active)> show user ip-user-mapping all type SYSLOG

IP Vsys From User IdleTimeout(s) M

axTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -
------------
192.168.45.65 vsys1 SYSLOG acme\user2 13295 1
3295
Total: 1 users
Part 3: Install User-ID Agent
27. In the firewall GUI, remove the configuration that uses the native user-ID agent to query
the DC. (Hint: Device tab -> User Identification -> User Mapping -> Server
Monitoring.) Commit the change.

28. In the Windows 2012 server:

a) Log in as the domain administrator.

b) In a browser, go to https://support.paloaltonetworks.com > Software

Updates and download the latest User-ID Agent installation file, one that
matches the version of PAN-OS you are running on your firewall.. The filename
will begin with UaInstall.

29. Install that the User-ID agent, accepting all the defaults.

Note that you typically do NOT install the UserID agent on a DC in a customer
environment. Typically it would be installed on a member server in the domain to be
monitored.

30. On Windows 2012, go to Start >Windows Power Shell, and type in the command
services.msc. The Services control panel will appear:

a) Scroll down to User-ID Agent, and double-click. Go to the Log On tab. Change
the setting to logon as the panagent account:
 Apply that change and close the User-ID Agent Properties screen. Keep the
Services window open.

31. In order to run a service without being logged in as that user, youll have to assign
correct permissions on the Windows 2012 Server registry as well as a particular
directory.
a) At a command prompt, type regedit.
b) Navigate to Computer\HKEY_Local_Machine\Software\Wow6432Node\Palo
Alto Networks

c) Right click Palo Alto Networks, then select Permissions.

d) Add the user panagent and allow full control. Close the registry editor.
e) Within your Windows 2012 Server, navigate to the following location C:\Program
Files (x86)\. Right click Palo Alto Networks and select Properties
f) In the Security Tab, add the user panagent and allow full control. Click Ok to
close those two windows, but keep the file browser open:
 You will come back to this window in a minute.
32. Navigate back to the Services window. In the list of services, right-click on User-ID
Agent and select Restart or Start. Make sure the status says running, and then
close the Services control panel.

33. In the window you left open at the end of step 30, drill into the User-ID Agent installation
folder. Right-click on the UaController application, and select Run as Administrator.

Note: if you do not use run as administrator, the commit in step d below will fail.
a) The UserID Agent GUI will appear. Look for the agent status to say agent
is running:

b) Click Setup in the left-hand tree. Click the Edit button under the Setup
panel to configure the agent:
User name for AD: panagent@acme.com, enter the password for
that account
Disable WMI probing
Disable NetBIOS probing
What TCP port is this service operating on? Remember that port
number, you will need it when configuring the firewall to talk to this
agent.
Close the Setup window.

c) Under User Identification -> Discovery, click Auto Discover. Look for
the domain controllers name and IP to be shown:

d) Click Commit in the User-ID Agent to activate your changes.

 e) Click Logs in the left-hand tree. New logs are added at the bottom. You
can change the debug level via the File->Debug menu at the top left
corner. Confirm that the current debug level is Information:

f) Click Clear log. Notice that log messages immediately start populating.
You can use this log for troubleshooting.
34. You will now tell the firewall to query the User-ID agent for username to IP mappings. Go
to the firewall GUI and go to Device > User Identification > User-ID Agents. Add a
new agent as follows:

35. Commit your configuration.

36. To verify connectivity between the firewall and the agent, under Device > User
Identification > User-ID Agents look for the status to show a green circle in the
Connected column.

If there are problems, examine the System log for ideas of what to troubleshoot. One
suggestion: confirm the local firewall on the Windows Server has been disabled.
 37. Go back to the Windows 2012 desktop and examine the User-ID Agent logs. The logs
will show that the firewall has connected to it:

a) The UserID Agent main screen will look like this:

Note: In PAN-OS 7.0.2+, the above IP address may show up as 192.168.45.1,

however communication between the agent and the firewall appears to be fully
operational. It may be a bug in VMWare.

38. From the firewall CLI, issue this command to confirm the status is conn:idle:
show user user-id-agent statistics

Verifying username to IP mappings (firewall -> agent-> DC method)

39. In the Windows 7 image, login to the domain as user3. Generate some traffic to the
Internet, including ping.

40. In the firewall CLI, use show user ip-user-mapping all to see a list of usernames and
associated IPs.
 41. In the firewall GUI, examine the traffic log to see traffic generated by user3.

42. You may want to take another VMware snapshot of the Windows 2012 image and VM-
Series image, and call those After userID lab. You also may want to save a named
configuration snapshot of your VM-series config.

END OF LAB