User-ID: Tie users and groups to your security policies

User-ID seamlessly integrates Palo Alto Networks next-generation firewalls with a wide range of user repositories and terminal services environments. Depending on your network environment, there are a variety of ways you can map a user's identity to an IP address. Some of these include:

  • Authentication events
  • User authentication
  • Terminal services monitoring
  • Client probing
  • Directory services integration
  • Syslog Listener and a powerful XML API

The user identity, when tied to the application activity, provides you with more complete visibility into usage patterns, greater policy control, and more granular logging, reporting and forensics capabilities. 

 

file

Authentication events help you identify users.

You can configure User-ID to monitor authentication events for Microsoft Active Directory, Microsoft Exchange and Novell eDirectory environments. This is important because monitoring authentication events on the network allows User-ID to match the user with the IP address of the device they used to login with, which lets you enforce your policy on the firewall.

  • Microsoft Exchange Server: You can configure User-ID to constantly monitor Microsoft Exchange logon events produced by clients accessing their email. Using this technique, you can even discover and identify MAC OS X, Apple iOS and Linux/UNIX client systems that don't directly authenticate to Microsoft Active Directory.

  • Novell eDirectory: User-ID can query and monitor logon information to identify users and group memberships via standard LDAP queries on the Novell eDirectory servers.

  • Microsoft Active Directory: User-ID constantly monitors domain controller event logs to identify users when they log onto the domain. When a user logs onto the Windows domain, a new authentication event is recorded on the corresponding Windows Domain Controller. By remotely monitoring the authentication events on Windows Domain Controllers, User-ID can recognize those authentication events to identify users on your network. Armed with this information, you can create and enforce your policies.

Directory integration captures group membership information.

To allow you to specify security rules based on user groups and resolve group members automatically, User-ID integrates with nearly every directory server - including Microsoft Active Directory - using a standards-based LDAP protocol and flexible configuration. Once you configure User-ID, your Palo Alto Networks firewall automatically retrieves and constantly updates user and user group information, and automatically adjusts to changes in your user base or organization.

User authentication events capture non-Windows domain users.

By capturing non-Windows domain users through user authentication events, you can configure a challenge-response authentication sequence to collect user and IP address information.

  • Captive portal: If your administrator needs to establish rules to make users authenticate to your firewall before accessing the Internet, or you can't identify a user through other techniques, you can deploy a captive portal. In addition to requiring an explicit username and password prompt, you can also configure your captive portal to send an NTLM authentication request to the web browser to make the authentication process totally transparent to the user.

  • GlobalProtect: Remote users logging into your network with GlobalProtect have to provide user and host information to your firewall. You can use this information for policy control.

Terminal services integration.

In environments where a user's identity is hidden by Citrix XenApp or Microsoft Terminal Services, our User-ID Terminal Services Agent can determine which applications users are accessing. We can also identify users sharing IP addresses working on Microsoft Windows Terminal Services or Citrix. Completely transparent to the user, every user session is assigned a specific port range on your server. This allows your firewall to associate network connections with users and groups sharing one host on your network. For custom or non-standard terminal services environments, the XML API can be used to collect the user identity. 

Client and host probing captures Windows user information.

The following two techniques enable you to configure User-ID to monitor Windows clients or hosts to collect an identity and map it to the IP address.

  • Client probing: If you can't identify a user by monitoring authentication events, User-ID actively probes Microsoft Windows clients on your network for information on the user currently logged on. Through this, you can reliably identify laptop users who switch back and forth from wired to wireless networks.

  • Host probing: You can also configure User-ID to probe Microsoft Windows servers for the active network sessions of a user. As soon as a user accesses a network shared on your server, User-ID identifies the originating IP address and maps it to the user name they provided to begin the session.

Syslog Listener and the XML API integrates with non-standard repositories.

In some cases, you may already have a user repository or an application for storing information on users and their current IP address. If so, the firewall can now listen for syslog messages from those services so that the User-ID agent (either the Windows agent or the agentless user mapping feature on the firewall) can extract the authentication events from the logs. Syslog filters that you define allow User-ID to parse the messages and extract the IP addresses and usernames of users who successfully authenticated to the external service and add the information to the IP address to username mappings it maintains. Currently the syslog listener natively supports BlueCoat Proxy, Citrix Access Gateway, Aerohive AP, Cisco ASA, Juniper SA Net Connect, and the Juniper Infranet Controller. 

  • XML API: In cases where the syslog listener is not applicable, the User-ID  XML API allows you to integrate user information into your security policies from other user directories, terminal services and authentication mechanisms 

 

Resources

Learn more about User-ID
Read information on how User-ID can seamlessly integrate with your enterprise directories or terminal services, all while protecting your network more effectively than relying solely on port and IP address.

Learn more about user visibility
Gain insight on the benefits of user visibility and how you can quickly analyze the role and risk of applications, who is using them, and then translate that information into secure application enablement policies.