Professional Documents
Culture Documents
User-ID Lab
User-ID Lab
User-ID Lab
Prerequisite Work
You must complete the Lab In a Box
Lab A- VM-Series image setup
Lab B- Windows 7 & Windows 2012 image setup
Install Kiwi SyslogGEN on Windows 2012 Image
Pre-work: Kiwi SyslogGEN
1. In the firewall GUI, make sure that user-identification is enabled on the l3-trust zone
(Network tab-> Zones).
2. In the Windows 2012 image, use Active Directory Users and Computers to create a new
account called panagent. Create it in acme.com-> Users container. Assign a password
you will remember, and do not force the user to change the password at next logon. After
creation of the account, edit the properties of the account. Assign the account to be a
member of two additional groups: Event Log Readers, Server Operators and Distributed
COM Users:
Note that the panagent account will provide two functions for us:
read all the groups (via Domain Users)
read the security logs (via Event Log Readers and Distributed COM Users)
3. By default, all traffic that orignates from the firewall (such as NTP, Palo Alto Updates,
radius, syslog, etc..) will be sourced from the management interface. On the firewall
GUI, adjust LDAP traffic to be sourced out of the ethernet1/2 interface. This can be
adjusted via the Service Route Configuration. On your firewall GUI, go to Device ->
Setup -> Services -> Service Route Configuration. On the IPv4 tab, edit the LDAP
service to use ethernet1/2:
4. In the firewall GUI, go to Device tab -> Server Profiles->LDAP. Add a new server from
which to retrieve the group mappings. Match the configuration below, using the panagent
account and password you configured above.
Make sure to uncheck the box for SSL! SSL will fail as we have not setup
certificates on the DC
This configuration points to the top of the domain tree structure, therefore all users and
groups will be retrieved.
5. In the firewall GUI, go to Device tab -> User Identification-> Group Mapping
Settings. Add a new server as follows:
After you select the server profile, accept all the defaults that appear.
Commit the configuration.
6. In the firewall GUI, go to the System log, and look for any events with ( subtype eq
userid ). This is the event message you want:
For the above error, make sure you have the proper service route configured. Also make
sure the clocks are set properly.
For the above error, make sure the panagent user exists on the DC.
For the above error, make sure you do NOT have SSL enabled on the LDAP config.
7. Now you will specify what users/groups you want to be able to retrieve from LDAP . Go
to Device tab -> User Identification-> Group Mapping Settings. Edit the server you
previously added. Go to the Group Include List tab. Expand the tree on the left. (The
tree should expand with no errors since you previously confirmed the LDAP server was
connected.) On the left, expand cn=users to locate domain users. Click + to move the
domain users group to the right-hand column.
You should see the group you specified at the bottom of the output. Confirm group
mapping is working before proceeding.
Part 2. Setup the firewall to directly query DC server to monitor for
UID mappings and Configure Syslog listener
10. Now that group mappings are working correctly, you will configure username to IP
mapping. The first method will configure the native firewall agent to query the DCs
security logs directly (no separate User-ID Agent required) using WMI Authentication. On
your firewall GUI, go to Device tab -> User Identification-> User Mapping, and edit the
very top section called Palo Alto Networks User ID Agent Setup. Match this screen:
There is no need to modify any other settings on the other tabs but feel free to look
around. Close the Palo Alto Networks User ID Agent Setup window.
11. You will now need to give the correct WMI permissions on the DC by adding the user
ACME\panagent to the CIMV2 Namespace. Do the following on your Windows 2012
domain controller:
b) In the console tree, right-click WMI Control, and then click Properties.
d) Expand Root and select CIMV2. Click on the Security box on the bottom right.
e) Add the user panagent and assign Allow Permissions to the following: Enable
Account, Remote Enable, and Read Security.
12. In the firewall GUI, on the Device -> User Identification -> User Mapping screen, in
the middle section called Server Monitoring, you will add the DC to monitor. Add a
new server as follows:
In a customer deployment, the customer will need to add ALL the DCs in the domain to
this list, as users can authenticate with *any* DC.
13. Commit the config.
14. In the firewall GUI, confirm on the Device tab -> User Identification -> User Mapping
screen, under Server Monitoring, the status is connected:
If there it is not connected, check the system log, and make sure you configured the
correct WMI permissions on the DC (previous step).
16. From the VM-Series console, run this command to get a list of all the user-IDs and IPs
has obtained:
show user ip-user-mapping all
If nothing is showing up, make sure the VM-Series and Windows 2012 server clocks are within
10 minutes of each other.
17. In the firewall GUI, go to the traffic log and look for values in the Source User column:
18. Logout of the Windows 7 desktop, and log in as user2 to the domain. Generate ping
and web-browsing traffic.
19. View the user mapping from the firewall CLI, and you will see that user2
20. View the traffic logs to also confirm that user2 is now associated with the ping and web-
browsing traffic.
Transition
21. Now we will configure the syslog listening. Open Agent setup from Device>User
Identification>User Mapping - User ID Agent Setup and go to the Syslog Filters tab.
22. Click on Add and we will create a custom Syslog Parse Profile using Regex Identifier.
The example Syslog provided comes from Cisco ISE commonly used by our
customers.
24. Next you need to configure your Interface Mgmt profile for your L3-trust interface to
enable User-ID Listener UDP
25. Commit changes
g) From CLI on firewall run show user ip-user-mapping all type SYSLOG and youll
see your new entry
eric-admin@usats-vm1(active)> show user ip-user-mapping all type SYSLOG
29. Install that the User-ID agent, accepting all the defaults.
Note that you typically do NOT install the UserID agent on a DC in a customer
environment. Typically it would be installed on a member server in the domain to be
monitored.
30. On Windows 2012, go to Start >Windows Power Shell, and type in the command
services.msc. The Services control panel will appear:
a) Scroll down to User-ID Agent, and double-click. Go to the Log On tab. Change
the setting to logon as the panagent account:
Apply that change and close the User-ID Agent Properties screen. Keep the
Services window open.
31. In order to run a service without being logged in as that user, youll have to assign
correct permissions on the Windows 2012 Server registry as well as a particular
directory.
a) At a command prompt, type regedit.
b) Navigate to Computer\HKEY_Local_Machine\Software\Wow6432Node\Palo
Alto Networks
33. In the window you left open at the end of step 30, drill into the User-ID Agent installation
folder. Right-click on the UaController application, and select Run as Administrator.
Note: if you do not use run as administrator, the commit in step d below will fail.
a) The UserID Agent GUI will appear. Look for the agent status to say agent
is running:
b) Click Setup in the left-hand tree. Click the Edit button under the Setup
panel to configure the agent:
User name for AD: panagent@acme.com, enter the password for
that account
Disable WMI probing
Disable NetBIOS probing
What TCP port is this service operating on? Remember that port
number, you will need it when configuring the firewall to talk to this
agent.
Close the Setup window.
c) Under User Identification -> Discovery, click Auto Discover. Look for
the domain controllers name and IP to be shown:
f) Click Clear log. Notice that log messages immediately start populating.
You can use this log for troubleshooting.
34. You will now tell the firewall to query the User-ID agent for username to IP mappings. Go
to the firewall GUI and go to Device > User Identification > User-ID Agents. Add a
new agent as follows:
36. To verify connectivity between the firewall and the agent, under Device > User
Identification > User-ID Agents look for the status to show a green circle in the
Connected column.
If there are problems, examine the System log for ideas of what to troubleshoot. One
suggestion: confirm the local firewall on the Windows Server has been disabled.
37. Go back to the Windows 2012 desktop and examine the User-ID Agent logs. The logs
will show that the firewall has connected to it:
38. From the firewall CLI, issue this command to confirm the status is conn:idle:
show user user-id-agent statistics
40. In the firewall CLI, use show user ip-user-mapping all to see a list of usernames and
associated IPs.
41. In the firewall GUI, examine the traffic log to see traffic generated by user3.
42. You may want to take another VMware snapshot of the Windows 2012 image and VM-
Series image, and call those After userID lab. You also may want to save a named
configuration snapshot of your VM-series config.
END OF LAB