What’s Palo Alto User-ID? #
The term “User-ID” refers to User Identification, which is used to track individual users’ network activity instead of relying on IP addresses.
By utilizing directory services like Active Directory, we can enforce security policies based on user identity, enhancing visibility into user activities.
How can this help an organization? #
User-ID facilitates tracking, managing, and monitoring user behavior while enforcing user-specific policies and providing visibility into user activity across the network.
Conventional Configuration #
When you start working with a new firewall or an existing one, you may notice that there is no User-ID or it is not set up yet. This is normal, as you will need to enable this feature later on using Palo Alto firewalls. Additionally, you do not need a license to activate User-ID. Below is an example.
Explanation
- The user Scott logged in to his computer using his domain account.
- Scott wants to leave his local network and go to the internet.
- The firewall sees Scott’s source IP address and adds it to its log table.
- The firewall monitors traffic based on IP addresses.
#
Non-Conventional Configuration #
Utilizing User-ID enhances visibility over users and network traffic for monitoring. It also enables the creation of rules for user groups or specific users.
Explanation
- Scott logged into his computer using his domain account.
- The domain controller logs the event after Scott signed in from the IP address 192.168.10.100.
- The domain controller has an application called User-ID agent installed.
- This User-ID agent fetches all the login events and sends them to the firewall.
- The firewall is connected to the server agent to receive all the mapping information.
- The firewall is gaining visibility over the users connected to the network through logs.
NOTE: The agents can be installed on a different server or workstation. They do not need to be on the domain controller. Just ensure you have the necessary permissions for the application.
What do you need to know about Palo Alto agents? #
Palo Alto has multiple agents for the on-prem environment. These agents collect information and send it to the firewall. I will briefly explain these categories.
- User-ID agent – Fetch all the user mapping information from the LDAP Active Directory. For more info, click here.
- Cloud Identity Agent (CIE) – Syncs all the directories with the Palo Cloud solution. For more info, click here.
- Terminal Server Agent – This is for systems where users log in to the same machine and share an IP address. For more info, click here.
Terminal Server Agent Use Case: When users connect to a physical server via RDP and share the same IP address, multiple policies won’t work because each user policy is linked to the server’s IP, preventing other rules from taking effect.
Policy Ilustratration #
- Rule#4: This policy allows the user, Scott, to leave his local network to the internet.
- Rule#5: Any unknown user who wants to go to the internet will have their traffic denied.
- Rule#6: The network sourcing from 192.168.10.0/24 can go to the internet. (no source users) configured.
#
Logs Illustration #
Let’s examine the logs below, which show Scott’s attempts to exit the local network and connect to different destinations. This information aids in troubleshooting and understanding user traffic.
#
So, in summary, User-ID streamlines policy management, enhances visibility into user activity, and strengthens overall network security. To learn more about User-ID, please refer to Palo Alto Tech Docs by clicking here.
Cheers,
