Securely Enabling Applications Based on Users & Groups
Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and applications means that IP addresses alone have become ineffective as a mechanism for monitoring and controlling user activity. Palo Alto Networks next-generation firewalls integrate with a wide range of user repositories and terminal service offerings, enabling organizations to incorporate user and group information into their security policies. Through User-ID, organizations also get full visibility into user activity on the network as well as user-based policy-control, log viewing and reporting. Watch video.
Transparent use of users and groups for secure application enablement.
User-ID seamlessly integrates Palo Alto Networks next-generation firewalls with the widest range of enterprise directories on the market; Active Directory, eDirectory, OpenLDAP and most other LDAP based directory servers. The User-ID agent communicates with the domain controllers, forwarding the relevant user information to the firewall, making the policy tie-in completely transparent to the end-user.
Identifying users via a browser challenge.
In cases where a user cannot be automatically identified through a user repository, a captive portal can be used to identify users and enforce user based security policy. In order to make the authentication process completely transparent to the user, Captive Portal can be configured to send a NTLM authentication request to the web browser instead of an explicit username and password prompt.
Integrate user information from other user repositories.
In cases where organizations have a user repository or application that already has knowledge of users and their current IP addresses, an XML-based REST API can be used to tie the repository to the Palo Alto Networks next-generation firewall.
Transparently extend user-based policies to non-Windows devices.
User-ID can be configured to constantly monitor for logon events produced by Mac OS X, Apple iOS, Linux/UNIX clients accessing their Microsoft Exchange email. By expanding the User-ID support to non-Windows platforms, organizations can deploy consistent application enablement policies.
Visibility and control over terminal services users.
In addition to support for a wide range of directory services, User-ID provides visibility and policy control over users whose identity is obfuscated by a Terminal Services deployment (Citrix or Microsoft). Completely transparent to the user, every session is correlated to the appropriate user, which allows the firewall to associate network connections with users and groups sharing one host on the network. Once the applications and users are identified, full visibility and control within ACC, policy editing, logging and reporting is available.
