Configure User-ID with GlobalProtect Cloud Service
To map IP addresses to user IDs for mobile users and users at remote network locations when they log in, you must configure User-ID for the GlobalProtect cloud service. The tasks you perform to configure User-ID for the GlobalProtect cloud service are similar to configuring User-ID for on-premise Palo Alto Networks next-generation firewalls.
Use the following workflow to configure User-ID for the GlobalProtect cloud service.
- Map IP Addresses to Users
the GlobalProtect cloud service.
- To use a Windows-based User-ID Agent for User-ID-to-IP address mapping, Create a Dedicated Service Account for the User-ID Agent , then Configure User Mapping Using the Windows User-ID Agent .
- To use the PAN-OS integrated User-ID Agent for User-ID-to-IP address mapping, Create a Dedicated Service Account for the User-ID Agent , then Configure User-ID for the GlobalProtect Cloud Service Using the PAN-OS Integrated User-ID Agent .If you use either a Windows or PAN-OS User-ID Agent, use the User-ID Agent Address (PanoramaCloud ServicesStatusNetwork DetailsService Connection) from the GlobalProtect cloud service in your User-ID agent configuration to configure your on-premise firewalls to retrieve User-ID mappings from the GlobalProtect cloud service infrastructure.By default, the User-ID agent uses port 5007 to listen for User-ID information requests. Make sure that you implement security policies that allow User-ID traffic from this port between the GlobalProtect cloud service and the Active Directory server or User-ID Agent.You can also use the paloalto-userid-agent App ID to retrieve the information from the Windows domain controller; however, if you do this, you must decrypt the SSL traffic for User-ID.
- To enable User-ID-to-IP address mapping for users with client systems that aren’t logged in to your domain servers—for example, users running Linux clients that don’t log in to the domain—you can Map IP Addresses to Usernames Using Captive Portal .To authenticate users using MFA, SAML, or captive portal, use the Captive Portal Redirect IP Address (PanoramaCloud ServicesStatusNetwork DetailsService Infrastructure) to redirect users. This IP address is assigned from the infrastructure subnet IP address pool.Alternatively, you can create a redirect host name and associate it with the Captive Portal Redirect IP Address in your internal DNS servers.
- To enable user-ID-to-IP address mapping using syslog listening, Configure User-ID to Monitor Syslog Senders for User Mapping .
- To enable user-ID-to-IP address mapping for users on Windows-based terminal servers, Configure User Mapping for Terminal Server Users .
- To enable user-ID-to-IP address mapping using an XML API, Send User Mappings to User-ID Using the XML API .
- To enable user-ID-to-IP address mapping without using an agent, Configure User-ID for the GlobalProtect Cloud Service Using the PAN-OS Integrated User-ID Agent .
Configure User-ID for the GlobalProtect Cloud Service Using the PAN-OS Integrated User-ID Agent
The following procedure shows how to configure the PAN-OS integrated User-ID agent on the firewall for IP address-to-username mapping. The integrated User-ID agent performs the same tasks as the Windows-based agent with the exception of NetBIOS client probing (WMI probing is supported).
- Create the User-ID service account in the Windows Active
Directory (AD) server that is being used by the authentication server. Be sure that the user you create is part of the following groups:
We recommend only making these group associations. You do not have to configure Domain Admin or Enterprise Admin privileges for the User-ID service account to work correctly. Giving privileges to the account that aren’t required can give your network a larger attack surface.
- Distributed COM Users
- Event Log ReadersIf you are configuring the account in Windows 2003, the Event Log Readers group does not exist; instead, create a group policy and give the user Audit and manage security log permissions.
- Server Operators
- Configure Windows Management Instrumentation (WMI) on
the AD server.The device uses WMI Authentication and you must modify the CIMV2 security properties on the AD server that connects to the device.
- Open a command prompt window and run the wmimgmt.msc command.
- In the WMI Control pane, right-click WMI Control, choose Properties, and select the Security tab.
- Make the following changes in the CIMV2 folder:
- Select the CIMV2 folder.
- Click Security.
- Click Add
- Select the service account you created in Step 1
.This example uses the UserID user with the email of firstname.lastname@example.org.
- Check Allow for the Enable Account and Remote Enable for the account you created.
- Click Apply.
- Click OK.
- In Panorama, select DeviceUser IdentificationUser Mapping and click the gear icon to edit the settings.
- Make the following changes to the Palo Alto Networks
User-ID Agent Setup settings:
- Select WMI Authentication and enter the domain and username (in the format domain/username) for the User-ID service account, along with a valid password.
- (Optional) Select Server Monitor and
change the default settings, if required.
- To disable security log monitoring on Windows servers, deselect Enable Security Log.
- To enable monitoring of user sessions on the monitored servers, select Enable Session.
- (Optional) Select Client Probing and select Enable Probing to enable WMI probing.
- Click OK to exit from the Palo Alto Networks User-ID Agent Setup.
- If you have not done so already, click Add in the Server Monitoring area and add a Name, Description, Type, and Network Address for the server you need to monitor.
- Confirm that the server is connected.
- To confirm using CLI commands, enter the show user server-monitor statistics command.
username@hostname> show user server-monitor statistics Directory Servers: Name TYPE Host Vsys Status --------------------------------------------------------------- exampleadserver.example.com AD exampleadserver.example.com vsys1 Connected
- To confirm using Panorama, check the Status of the server.