Configure User-ID to Receive User Mappings from a Syslog Sender
To obtain IP address-to-username mappings from existing network services that authenticate users, you can configure the PAN-OS integrated User-ID agent or Windows-based User-ID agent to parse Syslog messages from those services.
Configure the Integrated User-ID Agent as a Syslog Listener
To configure the PAN-OS Integrated User-ID agent to create new user mappings based on syslog monitoring, start by defining Syslog Parse profiles. The User-ID agent uses the profiles to find login events in syslog messages. In environments where syslog senders (the network services that authenticate users) deliver syslog messages in different formats, configure a profile for each syslog format. Syslog messages must meet certain criteria for a User-ID agent to parse them (see Syslog). This procedure uses examples with the following format:
[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1 Source:192.168.3.212
After configuring the Syslog Parse profiles, you specify syslog senders for the User-ID agent to monitor.
The PAN-OS integrated User-ID agent accepts syslogs over SSL and UDP only. However, you must use caution when using UDP to receive syslog messages because it is an unreliable protocol and as such there is no way to verify that a message was sent from a trusted syslog server. Although you can restrict syslog messages to specific source IP addresses, an attacker can still spoof the IP address, potentially allowing the injection of unauthorized syslog messages into the firewall. As a best practice, always use SSL to listen for syslog messages. However, if you must use UDP, make sure that the syslog server and client are both on a dedicated, secure VLAN to prevent untrusted hosts from sending UDP traffic to the firewall.
Collect User Mappings from Syslog Senders
Determine whether there is a predefined Syslog Parse profile for your particular syslog senders. Palo Alto Networks provides several predefined profiles through Application content updates. The predefined profiles are global to the firewall, whereas custom profiles apply to a single virtual system only. Any new Syslog Parse profiles in a given content release is documented in the corresponding release note along with the specific regex used to define the filter. Install the latest Applications or Applications and Threats update: Select Device > Dynamic Updates and Check Now. Download and Install any new update. Determine which predefined Syslog Parse profiles are available: Select Device > User Identification > User Mapping and click Add in the Server Monitoring section. Set the Type to Syslog Sender and click Add in the Filter section. If the Syslog Parse profile you need is available, skip the steps for defining custom profiles.
Define custom Syslog Parse profiles to extract IP address-to-username mapping information from syslog messages. Review the syslog messages that the syslog sender generates to identify the syntax for successful login events. This enables you to define the matching patterns when creating Syslog Parse profiles. While reviewing syslog messages, also determine whether they include the domain name. If they don’t, and your user mappings require domain names, enter the Default Domain Name when defining the syslog senders that the User-ID agent monitors (later in this procedure). Select Device > User Identification > User Mapping and edit the Palo Alto Networks User-ID Agent Setup. Select Syslog Filters and Add a Syslog Parse profile. Enter a name to identify the Syslog Parse Profile. Specify the Type of parsing to extract user mapping information: Regex Identifier —Regular expressions. Field Identifier —Text strings. The following steps describe how to configure these parsing types.
(Regex Identifier parsing only) Define the regex matching patterns. If the syslog message contains a standalone space or tab as a delimiter, use \s for a space and \t for a tab. Enter the Event Regex for the type of events you want to find. For the example message, the regex (authentication\ success){1} extracts the first {1} instance of the string authentication success . The backslash (\) before the space is a standard regex escape character that instructs the regex engine not to treat the space as a special character. Enter the Username Regex to identify the start of the username. In the example message, the regex User:([a-zA-Z0-9\\\._]+) matches the string User:johndoe1 and identifies johndoe1 as the username. Enter the Address Regex to identify the IP address portion of syslog messages. In the example message, the regular expression Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) matches the IPv4 address Source:192.168.3.212 . The following is an example of a completed Syslog Parse profile that uses regex:
Click OK twice to save the profile.
(Field Identifier parsing only) Define string matching patterns. Enter an Event String to identify successful login events. For the example message, the string authentication success identifies login events. Enter a Username Prefix to identify the start of the username field in syslog messages. The field does not support regex expressions such as \s (for a space) or \t (for a tab). In the example messages, User: identifies the start of the username field. Enter the Username Delimiter that indicates the end of the username field in syslog messages. Use \s to indicate a standalone space (as in the sample message) and \t to indicate a tab. Enter an Address Prefix to identify the start of the IP address field in syslog messages. The field does not support regex expressions such as \s (for a space) or \t (for a tab). In the example messages, Source: identifies the start of the address field. Enter the Address Delimiter that indicates the end of the IP address field in syslog messages. For example, enter \n to indicate the delimiter is a line break. The following is an example of a completed Syslog Parse profile that uses string matching:
Click OK twice to save the profile.
Specify the syslog senders that the firewall monitors. Within the total maximum of 100 monitored servers per firewall, you can define no more than 50 syslog senders for any single virtual system. The firewall discards any syslog messages received from senders that are not on this list. Select Device > User Identification > User Mapping and Add an entry to the Server Monitoring list. Enter a Name to identify the sender. Make sure the sender profile is Enabled (default is enabled). Set the Type to Syslog Sender. Enter the Network Address of the syslog sender (IP address or FQDN). Select a custom or predefined Syslog Parse profile as a Filter. Select UDP or SSL (default) as the Connection Type. Use caution when using UDP to receive syslog messages because it is an unreliable protocol and as such there is no way to verify that a message was sent from a trusted syslog server. Although you can restrict syslog messages to specific source IP addresses, an attacker can still spoof the IP address, potentially allowing the injection of unauthorized syslog messages into the firewall. As a best practice, always use SSL to listen for syslog messages when using agentless User Mapping on a firewall. However, if you must use UDP, make sure that the syslog server and client are both on a dedicated, secure VLAN to prevent untrusted hosts from sending UDP traffic to the firewall. A syslog server using SSL to connect will show a Status of Connected only when there is an active SSL connection. Syslog servers using UDP will not show a Status value. (Optional) If the syslog messages don’t contain domain information and your user mappings require domain names, enter a Default Domain Name to append to the mappings. Click OK to save the settings.
Enable syslog listener services in the management profile associated with the interface used for user mapping. Select Network > Network Profiles > Interface Mgmt and edit an existing Interface Management profile or Add a new profile. Select User-ID Syslog Listener-SSL or User-ID Syslog Listener-UDP or both, based on the protocols you defined for the syslog senders in the Server Monitoring list. The listening ports (514 for UDP and 6514 for SSL) are not configurable; they are enabled through the management service only. Click OK to save the interface management profile. Even after enabling the User-ID Syslog Listener service on the interface, the interface only accepts syslog connections from senders that have a corresponding entry in the User-ID monitored servers configuration. The firewall discards connections or messages from senders that are not on the list. Assign the Interface Management profile to the interface that the firewall uses to collect user mappings: Select Network > Interfaces and edit the interface. Select Advanced > Other info, select the Interface Management Profile you just added, and click OK. Commit your changes.
Verify the configuration by logging in to the firewall CLI and running the following commands: To see the status of a particular syslog sender: admin@PA-5050> show user server-monitor state Syslog2 UDP Syslog Listener Service is enabled SSL Syslog Listener Service is enabled Proxy: Syslog2(vsys: vsys1) Host: Syslog2(10.5.204.41) number of log messages : 1000 number of auth. success messages : 1000 number of active connections : 0 total connections made : 4 To see how many log messages came in from syslog senders and how many entries were successfully mapped: admin@PA-5050> show user server-monitor statistics Directory Servers: Name TYPE Host Vsys Status ----------------------------------------------------------------------------- AD AD 10.2.204.43 vsys1 Connected Syslog Servers: Name Connection Host Vsys Status ----------------------------------------------------------------------------- Syslog1 UDP 10.5.204.40 vsys1 N/A Syslog2 SSL 10.5.204.41 vsys1 Not connected To see how many user mappings were discovered through syslog senders: admin@PA-5050> show user ip-user-mapping all type SYSLOG IP Vsys From User IdleTimeout(s) M axTimeout(s) --------------- ------ ------- -------------------------------- -------------- - 192.168.3.8 vsys1 SYSLOG acme\jreddick 2476 2 476 192.168.5.39 vsys1 SYSLOG acme\jdonaldson 2480 2 480 192.168.2.147 vsys1 SYSLOG acme\ccrisp 2476 2 476 192.168.2.175 vsys1 SYSLOG acme\jjaso 2476 2 476 192.168.4.196 vsys1 SYSLOG acme\jblevins 2480 2 480 192.168.4.103 vsys1 SYSLOG acme\bmoss 2480 2 480 192.168.2.193 vsys1 SYSLOG acme\esogard 2476 2 476 192.168.2.119 vsys1 SYSLOG acme\acallaspo 2476 2 476 192.168.3.176 vsys1 SYSLOG acme\jlowrie 2478 2 478 Total: 9 users
Configure the Windows User-ID Agent as a Syslog Listener
To configure the Windows-based User-ID agent to create new user mappings based on syslog monitoring, start by defining Syslog Parse profiles. The User-ID agent uses the profiles to find login events in syslog messages. In environments where syslog senders (the network services that authenticate users) deliver syslog messages in different formats, configure a profile for each syslog format. Syslog messages must meet certain criteria for a User-ID agent to parse them (see Syslog). This procedure uses examples with the following format:
[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1 Source:192.168.3.212
After configuring the Syslog Parse profiles, you specify syslog senders for the User-ID agent to monitor.
The Windows User-ID agent accepts syslogs over TCP and UDP only. However, you must use caution when using UDP to receive syslog messages because it is an unreliable protocol and as such there is no way to verify that a message was sent from a trusted syslog server. Although you can restrict syslog messages to specific source IP addresses, an attacker can still spoof the IP address, potentially allowing the injection of unauthorized syslog messages into the firewall. As a best practice, use TCP instead of UDP. In either case, make sure that the syslog server and client are both on a dedicated, secure VLAN to prevent untrusted hosts from sending syslogs to the User-ID agent.
Configure the Windows User-ID Agent to Collect User Mappings from Syslog Senders
Define custom Syslog Parse profiles to filter syslog messages for successful login events. Review the syslog messages that the syslog sender generates to identify the syntax for successful login events. This enables you to define the matching patterns when creating Syslog Parse profiles. While reviewing syslog messages, also determine whether they include the domain name. If they don’t, and your user mappings require domain names, enter the Default Domain Name when defining the syslog senders that the User-ID agent monitors (later in this procedure). Open the Windows Start menu and select User-ID Agent. Select User Identification > Setup and Edit the Setup. Select Syslog, Enable Syslog Service, and Add a Syslog Parse profile. Enter a Profile Name and Description. Select the Type of parsing to find login events in syslog messages: Regex —Regular expressions. Field —Text strings. The following steps describe how to configure these parsing types.
(Regex parsing only) Define the regex matching patterns. If the syslog message contains a standalone space or tab as a delimiter, use \s for a space and \t for a tab. Enter the Event Regex to identify successful login events. For the example message, the regex (authentication\ success){1} extracts the first {1} instance of the string authentication success . The backslash before the space is a standard regex escape character that instructs the regex engine not to treat the space as a special character. Enter the Username Regex to identify the start of the username. In the example message, the regex User:([a-zA-Z0-9\\\._]+) matches the string User:johndoe1 and identifies johndoe1 as the username. Enter the Address Regex to identify the IP address portion of syslog messages. In the example message, the regular expression Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) matches the IPv4 address Source:192.168.3.212 . The following is an example of a completed Syslog Parse profile that uses regex to identify login events:
Click OK twice to save the profile.
(Field Identifier parsing only) Define string matching patterns. Enter an Event String to identify successful login events. For the example message, the string authentication success identifies login events. Enter a Username Prefix to identify the start of the username field in syslog messages. The field does not support regex expressions such as \s (for a space) or \t (for a tab). In the example messages, User: identifies the start of the username field. Enter the Username Delimiter that indicates the end of the username field in syslog messages. Use \s to indicate a standalone space (as in the sample message) and \t to indicate a tab. Enter an Address Prefix to identify the start of the IP address field in syslog messages. The field does not support regex expressions such as \s (for a space) or \t (for a tab). In the example messages, Source: identifies the start of the address field. Enter the Address Delimiter that indicates the end of the IP address field in syslog messages. For example, enter \n to indicate the delimiter is a line break. The following is an example of a completed Syslog Parse profile that uses string matching to identify login events:
Click OK twice to save the profile.
Specify the syslog senders that the User-ID agent monitors. Within the total maximum of 100 servers of all types that the User-ID agent can monitor, up to 50 can be syslog senders. The User-ID agent discards any syslog messages received from senders that are not on this list. Select User Identification > Discovery and Add an entry to the Servers list. Enter a Name to identify the sender. Enter the Server Address of the syslog sender (IP address or FQDN). Set the Server Type to Syslog Sender. (Optional) If the syslog messages don’t contain domain information and your user mappings require domain names, enter a Default Domain Name to append to the mappings. Select the Syslog Parse profile you configured as a Filter. Click OK to save the settings. Commit your changes to the User-ID agent configuration.
Verify the configuration by logging in to the firewall CLI and running the following commands: To see the status of a particular syslog sender: admin@PA-5050> show user server-monitor state Syslog2 UDP Syslog Listener Service is enabled SSL Syslog Listener Service is enabled Proxy: Syslog2(vsys: vsys1) Host: Syslog2(10.5.204.41) number of log messages : 1000 number of auth. success messages : 1000 number of active connections : 0 total connections made : 4 To see how many log messages came in from syslog senders and how many entries were successfully mapped: admin@PA-5050> show user server-monitor statistics Directory Servers: Name TYPE Host Vsys Status ----------------------------------------------------------------------------- AD AD 10.2.204.43 vsys1 Connected Syslog Servers: Name Connection Host Vsys Status ----------------------------------------------------------------------------- Syslog1 UDP 10.5.204.40 vsys1 N/A Syslog2 SSL 10.5.204.41 vsys1 Not connected To see how many user mappings were discovered through syslog senders: admin@PA-5050> show user ip-user-mapping all type SYSLOG IP Vsys From User IdleTimeout(s) M axTimeout(s) --------------- ------ ------- -------------------------------- -------------- - 192.168.3.8 vsys1 SYSLOG acme\jreddick 2476 2 476 192.168.5.39 vsys1 SYSLOG acme\jdonaldson 2480 2 480 192.168.2.147 vsys1 SYSLOG acme\ccrisp 2476 2 476 192.168.2.175 vsys1 SYSLOG acme\jjaso 2476 2 476 192.168.4.196 vsys1 SYSLOG acme\jblevins 2480 2 480 192.168.4.103 vsys1 SYSLOG acme\bmoss 2480 2 480 192.168.2.193 vsys1 SYSLOG acme\esogard 2476 2 476 192.168.2.119 vsys1 SYSLOG acme\acallaspo 2476 2 476 192.168.3.176 vsys1 SYSLOG acme\jlowrie 2478 2 478 Total: 9 users

Related Documentation