Map IP Addresses to Users
The tasks you need to perform to map IP addresses to usernames depends on the type and location of the client systems on your network. Complete as many of the following tasks as necessary to enable mapping of your client systems:
To map users as they log in to your Exchange servers, domain controllers, or eDirectory servers, or Windows clients that can be directly probed, you must configure a User-ID agent to monitor the server logs and/or probe client systems. You can either install the standalone Windows User-ID agent on one or more member servers in the domain that contains the servers and clients to be monitored (see Configure User Mapping Using the Windows User-ID Agent) or you can configure the on-firewall User-ID agent that is integrated with PAN-OS ( Configure User Mapping Using the PAN-OS Integrated User-ID Agent). For guidance as to which agent configuration is appropriate for your network and the number and placements of agents that are required, refer to Architecting User Identification Deployments. If you have clients running multi-user systems such as Microsoft Terminal Server or Citrix Metaframe Presentation Server or XenApp, see Configure the Palo Alto Networks Terminal Server Agent for User Mapping for instructions on how to install and configure the agent on a Windows server. If you have a multi-user system that is not running on Windows, you can use the User-ID XML API to send IP address to username mappings directly to the firewall. See Retrieve User Mappings from a Terminal Server Using the User-ID XML API. To obtain user mappings from existing network services that authenticate users, such as wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access Control (NAC) mechanisms, configure the User-ID agent (either the Windows agent or the agentless user mapping feature on the firewall) to listen for authentication syslog messages from those services. See Configure User-ID to Receive User Mappings from a Syslog Sender. If you have users with client systems that are not logged into your domain servers—for example, users running Linux clients that do not log in to the domain—see Map IP Addresses to User Names Using Captive Portal. For other clients that you are unable to map using the previous methods, you can use the User-ID XML API to add user mappings directly to the firewall. See Send User Mappings to User-ID Using the XML API. Because policy is local to each firewall, each firewall must have a current list of IP address-to-username mappings in order to accurately enforce security policy by group or user. However, you can configure one firewall to collect all the user mappings and distribute them to the other firewalls. For details, see Configure a Firewall to Share User Mapping Data with Other Firewalls.

Related Documentation