Palo Alto Networks- Agentless User ID Tutorial

  Рет қаралды 36,946

Jeff Talkington

Jeff Talkington

Күн бұрын

Пікірлер: 38
@ANCsounds
@ANCsounds 5 жыл бұрын
Hi Jeff, thank you for this video tutorial. We have implemented the ad integration on our Palo Alto by following your tutorial!
@jefftalkington8404
@jefftalkington8404 5 жыл бұрын
Thanks for the kind words! Much appreciated.
@ANCsounds
@ANCsounds 5 жыл бұрын
It seems that PAN is confused when there is multiple user logged in on a windows computer. Some users did not log out and when new user log in, the IP user mapping is not updated. Do you have any idea on how to fix this?
@jefftalkington8404
@jefftalkington8404 5 жыл бұрын
@@ANCsounds It sounds like this a multi-use system, like terminal services for Citrix or Windows. If that's the case, PANW has a terminal services agent that can be installed on the machine and each user will be identified with a set of source ports to use. It's available for download on the customer support portal. If, however, this is a normal machine and not a terminal services client, the agent/firewall should pick up the changes when it checks in with your AD/syslog server.
@saadahmadkhan5049
@saadahmadkhan5049 5 жыл бұрын
Very well organized demo. I wish you can upload more video tutorial about the PA.
@hiirusha
@hiirusha 6 ай бұрын
well appreciated for your nice and clear explanation! cheers.
@markusyunianto8826
@markusyunianto8826 Жыл бұрын
Thanks for your explanation, it's very useful 👍
@thomasbezak1090
@thomasbezak1090 2 жыл бұрын
Note: Recent windows updates break WMI and you now need to setup WinRM/Kerberos to connect to AD for agentless user identification.
@brucebennett321
@brucebennett321 7 жыл бұрын
Hi Jeff, great video thank you. I had a tough time finding out exactly what was needed on the AD side for the service account before. I have a questions about environments with multiple domain controllers. Do you need to connect to all of the domain controllers, or just to a couple (for redundancy)?
@Black_Swan68761
@Black_Swan68761 4 жыл бұрын
Thanks for sharing the video!
@brett8706
@brett8706 Жыл бұрын
Hi Jeff. I know this is a few years old. If I set up a Group Mapping and choose the groups to include, will this mapping update if I change the location of a group in AD? Also, do I need to change this in the Policy, or will it update automatically?
@TheJokeJoker
@TheJokeJoker 2 жыл бұрын
This works on PAN-OS 10.0, FYI
@crystalhu7502
@crystalhu7502 3 жыл бұрын
Hello Jeff, my AD server is connected well. But when I map user IP, it shows unknown users. Only Paloalto service account can be recognized. Do you know why? Thank you.
@paulojosephzapata905
@paulojosephzapata905 6 жыл бұрын
Hi Jeff, from your monitor traffic logs @10:35 in your video. Why is it that some traffic from 192.168.35.131 doesn't show the user id? I'm experiencing the same issue, some traffic logs doesn't show the user id.
@jefftalkington8404
@jefftalkington8404 6 жыл бұрын
If I remember right from when I made the video, there was enough of a time gap that my user mappings had timed out. Check the timeout settings in Device->Userid and under the userid agent setup. In a standard corporate environment, 45 minutes is usually plenty for a timeout, but in a lab environment or where users don't login to resources as much, you might have to increase to 2 hours (or 4 or 8).
@nickstathakis5263
@nickstathakis5263 4 жыл бұрын
Hi Jeff, how does the PA perform the correlation/mapping of the userID and ad-group membership is this within the logs?
@n3rdpwr
@n3rdpwr 7 жыл бұрын
Works a treat, Thanks!
@chriscowboyfan
@chriscowboyfan 4 жыл бұрын
GREAT VIDEO!
@alexlora6009
@alexlora6009 2 жыл бұрын
So, as i see in all the videos from youtube, nobody speak about the app User ID Agent must be installed.. so, it is not necessary needed.
@johnmeyers9961
@johnmeyers9961 7 жыл бұрын
Jeff, liked the video. Very informative and fills in a lot of holes from the PA KB articles. Question about WMI polling. Can the PA firewall be set up to read windows syslog data on a syslog server, rather than having it poll the individual AD servers?
@jefftalkington8404
@jefftalkington8404 7 жыл бұрын
Absolutely! This is a common method we use to pull mappings from other sources. The most common is getting IP/User-ID info from wireless controllers or NAC solutions. Here's an article on how to configure it using Aruba wireless as an example. live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Collect-the-User-IP-Mappings-from-a-Syslog-Sender-Using/ta-p/62085
@scottgoethals6279
@scottgoethals6279 5 жыл бұрын
Hi Jeff, Great Video. I have a question. Why did you create the user (service acct) in an OU instead of creating it in the Managed Service Accounts folder? I noticed some documentation lists the steps as creating the user in the Managed Service Account container. I also assume you setup the user so that it's password doesn't expire. Is this correct? A second question, when you setup WMI, (wmimgmt.msc), is this something that would need to be done on each domain controller? Lastly, do you recommend separate LDAP server profiles for each domain controller or is it best to put all DC under one? Thank you.
@shawngibbs3341
@shawngibbs3341 7 жыл бұрын
We have this configured, just as in your video...and it works for PC, but not for MAC computers. The MACs are authenticating through AD (Windows AD), but the PA will not see the userID for the MAC users. What is required to make agentless userid work with Windows AD auth work for MAC computers?
@jefftalkington8404
@jefftalkington8404 7 жыл бұрын
Since this is a connection to AD, as long as there is an authentication that takes place to the domain, you should see the user/IP mapping. I would recommend checking the logs in AD and verifying that you're seeing the authentication. After that, contact TAC so they can walk through the issue with you.
@johnmeyers9961
@johnmeyers9961 7 жыл бұрын
Hi. Quick troubleshooting question. (case opened with tech support, but hoping you could help too). I setup my company's webfilter to send syslog data to our PA firewall (the same way I have it send to our syslog server). Then entered it as a syslog sender in Server Monitoring (IP, UDP, Domain, and custom syslog filter profile). But the status does not show "Connected" like in the video. Any ideas if I set it up incorrectly?Also I ran "show user server-monitor state all" from the CLI and I returned counts of zero, but showed the UDP Syslog Listener Service as enabled.
@johnmeyers9961
@johnmeyers9961 7 жыл бұрын
Nevermind, figured it out. Got it working.
@jefersonantunes3575
@jefersonantunes3575 6 жыл бұрын
Hi Jeff, great video thank you. I have noticed some anonymous logon cases. Have you ever seen this happen? Most users logged in to Active Directory are identified in the firewall, only a few appear on the monitor as anonymous logon.
@PKS11111
@PKS11111 5 жыл бұрын
Hi Jeff, we did it in production, we have noticed inconsistent domain name, sometime user coming as (domain) and some time (domain.loc), Pls suggest
@jefftalkington8404
@jefftalkington8404 5 жыл бұрын
Depending on the number/type of user-id sources, this is not unusual. Palo Alto Networks understands that the firewall may receive multiple formats. There's a couple ways to handle it, but it's all spelled out in the following admin guide walkthrough for how to handle multiple formats. Read it over and definitely look at steps 3 and 4 of the guide. I think it will help. docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/user-id-features/support-for-multiple-username-formats
@p224switch7
@p224switch7 7 жыл бұрын
hi Jeff,i have a problem here, i added user group to the rule but not work. i blocked some apps(ex: skype,teamvier...)with that group and allow all all traffic rule below,but user on this group not match blocked rule,only match allow all traffic rule. can you assist me?thank you so much!
@jefftalkington8404
@jefftalkington8404 7 жыл бұрын
IF the groups are populating for the rule, you're getting connectivity from AD. I would check the logs to make sure that the userid is populated. My guess is that the NGFW hasn't gotten the log showing the userid/IP address mapping.
@joananderson2264
@joananderson2264 6 жыл бұрын
Thanks for this Jeff. Is there any way to exclude users/mac addresses from an internet security profile (i.e., without AD)?
@jefftalkington8404
@jefftalkington8404 6 жыл бұрын
Interesting question- the User-ID process is designed to match a username to an IP address. Since we operate at the network layer, we can't normally see the source/destination mac address. We see only the next hop mac. So...no, if using standard User-ID methods. There is a way to do it though. If we use the Global Protect client on the endpoint and do HIP (Host Information Profile) check, we can pull the machine name or mac address and create an exclusion list based on that. If this is a bit much, you could do a DHCP reservation and create an exclusion around the reserved IP. Hope this helps!
@joananderson2264
@joananderson2264 6 жыл бұрын
Thanks Jeff. I would love to create the exclusion list around reserved IPs. I have the IP's already reserved. Can you point me to where the exclusion list is defined in the documentation? I have some users who are using Mac High Sierra and the password override (for URL Filtering) is not working. The site is blocked completely. Earlier Mac versions provide the opportunity to enter the password...as with Windows users via Edge. Chrome blocks sites completely even though override is specified. Had to add a certificate for Windows to allow the override at all. Also, question... User Mapping does nothing unless you have a AD (or Microsoft Exchange, etc.) server, correct? Thanks again.
@jefftalkington8404
@jefftalkington8404 6 жыл бұрын
I'm assuming a couple of things when writing this response but if there isn't an exclusion list capability for a url profile. You can do 'Negate' on source and destination addresses to say that the policy applies to NOT that ip address or range. What I would do, though, is create a policy above the current one and put a permit policy with with reserved IP addresses. We do something like this all the time when users haven't adopted user-id, but have execs or owners that need open access while the rest of the org has a standard internet policy. Execs have the policy above the standard policy and have open access. On the group question- you're right, to get a user-id-to-group mapping you'll need to be connected to either AD or LDAP and ingest group memberships. If you're planning on doing this, make sure you filter groups so that you only get the ones you're using in policy, not the entire AD/LDAP group structure. While it's NORMALLY not an issue, we've seen some companies with 20,000+ AD groups overrun the tables on the NGFW because they didn't enable filtering.
@nikhilchaudhari26
@nikhilchaudhari26 5 жыл бұрын
audio is very very low.....but informative video
@michaelmarange7534
@michaelmarange7534 7 жыл бұрын
Audio is low on the video
@jefftalkington8404
@jefftalkington8404 7 жыл бұрын
I'm playing it from youtube now and volume seems fine. Are you still having the issue, and can you elaborate on the problem?
Palo Alto User-ID
26:28
Ed Goad
Рет қаралды 18 М.
Palo Alto Networks-Firewall Demo
25:50
Jeff Talkington
Рет қаралды 57 М.
Don’t Choose The Wrong Box 😱
00:41
Topper Guild
Рет қаралды 52 МЛН
Accompanying my daughter to practice dance is so annoying #funny #cute#comedy
00:17
Funny daughter's daily life
Рет қаралды 28 МЛН
Tutorial: Understanding the NAT/Security Policy Configuration
12:47
Palo Alto Networks LIVEcommunity
Рет қаралды 108 М.
GlobalProtect Best Practices, Tuning and Resources
29:22
Palo Alto Networks LIVEcommunity
Рет қаралды 32 М.
User ID | Palo Alto Firewall Training
15:40
Network Direction
Рет қаралды 16 М.
Setup GlobalProtect VPN with Palo Alto
26:18
Ed Goad
Рет қаралды 73 М.
Tech Partnerships Unplugged: The Role of Identity in Zero Trust With Okta
18:10
Policy based Forwarding "PBF" - Palo Alto Networks FireWall Concepts Training Series
16:23
Consigas - Palo Alto Networks Training Channel
Рет қаралды 31 М.
Tutorial: User-ID Redistribution
11:21
Palo Alto Networks LIVEcommunity
Рет қаралды 19 М.
Don’t Choose The Wrong Box 😱
00:41
Topper Guild
Рет қаралды 52 МЛН