What’s Palo Alto User-ID? #
The term “User-ID” refers to User Identification. Its sole purpose is to identify and track network activity by individual users rather than just IP addresses.
We can achieve this by using directory services like Active Directory and others supported by the platform. This approach allows us to enforce security policies based on who the user is instead of what IP they are using. It also provides excellent visibility into who is doing what.
How can this help an organization? #
User-ID facilitates tracking, managing, and monitoring user behavior while enforcing user-specific policies and providing visibility into user activity across the network.
Conventional Configuration #
When working with a new firewall or with existing ones, you might notice that User-ID is not set up. This is normal, as you need to turn on this feature down the road. Also, you don’t need a license to enable this feature. Look at the image below.
Explanation
- The user Scott logged in to his computer using his domain account.
- Scott wants to leave his local network and go to the internet.
- The firewall sees Scott’s source IP address and adds it to its log table.
- The firewall monitors traffic based on IP addresses.
Non-Conventional Configuration #
Utilizing User-ID enhances visibility over users and network traffic for monitoring. It also enables the creation of rules for user groups or specific users.
Explanation
- Scott logged into his computer using his domain account.
- The domain controller logs the event after Scott signed in from the IP address 192.168.10.100.
- The domain controller has an application called User-ID agent installed.
- This User-ID agent fetches all the login events and sends them to the firewall.
- The firewall is connected to the server agent to receive all the mapping information.
- The firewall is gaining visibility over the users connected to the network through logs.
NOTE: The agent can be installed on another server or workstation. It does not have to be on the domain controller. Just ensure you have the appropriate permissions for the application.
What do you need to know about Palo Alto agents? #
Palo Alto has multiple agents for the on-prem environment. These agents collect information and send it to the firewall. I will briefly explain these categories.
- User-ID agent – This agent is mainly used to fetch all the user mapping information from the LDAP active directory. To read more, please click here.
- Cloud Identity Agent (CIE) – Same as the User-ID agent. However, this agent syncs the directories to the palo cloud-based solution. To read more, please click here.
- Terminal Server Agent – This agent is used for systems like Terminal Server or Citrix that require users to log in to the same physical machine and share the same IP. To read more, please click here.
For example, When users connect to a physical server via RDP and share the same IP address, multiple policies won’t work because each user policy is linked to the server’s IP, preventing other rules from taking effect.
Policy Ilustratration #
- Rule#4: This policy allows the user, Scott, to leave his local network to the internet.
- Rule#5: Any unknown user who wants to go to the internet will have their traffic denied.
- Rule#6: The network sourcing from 192.168.10.0/24 can go to the internet. (no source users) configured.
Logs Ilustration #
Take a look at the logs below, where you can see Scott’s attempts to exit the local network toward different destinations. This is really helpful because it enables us to troubleshoot more effectively and gives us insights into how users are egressing and egressing our network.
#
So, In summary, User-ID streamlines policy management, enhances visibility into user activity, and strengthens overall network security. To learn more about User-ID, please refer to Palo Alto Tech Docs by clicking here.
Cheers,