User ID integration

1. User ID integration

In this lecture, we'll talk about user ID. What user ID integration allows you to do is make policies based on the actual user information and make differentiation based on different group memberships. So this way, you can tie your policy to not only IP addresses but user IDs as well, and user ID integration. We have to answer two questions Who is the user that's connected to this IP address,and then what group do they belong to? The IP address to user mapping and the group mappingallows you to say, okay, if this user is a member of the executive group, they get this policy. If this user is a member of the marketing group, they get this policy and so on. In order for the firewall to use groups for its decision process, you can integrate with LDAP for user to group membership. The LDAP services that are supported are: Microsoft Active Directory novelty directory and San Juan Directory server. User type mapping information is achieved by querying the Active Directory domain controllers by one of two methods. using either Windows-based agent software that's installed on the domain controller in your network, or by using the integrated Firewall user ID agent. The agent monitors security events ranging from logins to domain controllers. Take this information and tie it from user to IP. This way, you know who the user is that's attached to that IP address in the Active Directory environment. For example, when somebody logs into the network,the domain controller logs in that user from IP address ten (IP address 101). For example, the user agent monitors those security logs for login and logoff events. It monitors those events for COBURG tickets, whichhas the user and IP address file and print service connection and so on. In order for this to work, you have to make sure that your domainpolicy is logging successful account login events. If that's not in place, then you will not get the full user to IP address mapping. One of the things you have to be aware of is that, since the user can authenticate to any domain controller,you have to make sure that all your domain controllers are configured on the user ID agent. You can also do client probing. What client probing does is the user ID agent will go ahead and query using WMI the actual client workstation to find out who the user is logged in as. That's using netbias probing. It's only supported by the actual thick client userID agent that's installed on the domain controller. Probing is particularly useful in an environment with a high IP address turnover. So the IP addresses basically change quickly. You want to remember this information quickly. On the firewall, probing is enabled. What happens is that the agent will go ahead and probe learned IP addresses every 20 minutes by default to verify that the same user is still logged in. In addition, when the firewall encounters an IP address for which it has no user mapping, it will send client probing from the agent to determine who is the actual client that's connected. So that's going to work actually for machines in your domain because you would have to allow the clientprobing on the firewall in your domain policy. And that's kind of the limitation of that solution for mapping allows you to determine the actual users connected to a terminal service solution like Microsoft Terminal Server or Citrix environment. In this type of platform, you could have multiple users connecting from the same IP address. Each one has its own session. So, for example, in the case of terminal servers, you could have a terminal server with one IPaddress that has like five sessions on it. Right now, you have user and USERX open Internet Explorer and navigate to www.google.com. When the user launches Internet Explorer and goes to Google.com, the source port to TCP source port is unique and this could be like TCP port 2005. You have another session and a different user. User y that did the same thing went to www.google.com, but his source port is 2010. The source port ofdifferentiates different user activities. This information is relayed by the terminal server agent that's installed on the Microsoft Terminal Serveror Citrix environment and relates to the firewall. This way, when the firewall sees a connection to www.google.com from port TCP 2005, it knows that this is user x. If it sees a connection to the same destination fromsource port 2010, it knows that this is user wise.Asian terminal server solutions are limited to Microsoft TerminalServer Services and Citrix environments. If you have other solutions that are not supported, you can use the XML API. Syslog events can also be used to identify the user. So you can send syslog events from your internal syslog server. For events such as wireless controller events, login events, 81 x devices, Apple One directory server, proxy servers,any solution that sends syslog, you can send this information to the firewall user ID agent. It could be either the actual software agent that's installed on the domain controller or the Pen OS integrated agent on the firewall. The agents can listen to those syslog events and determine a different user ID to IP mapping. The captive portal is another way of enforcing user ID identification. You can configure a captive portal in a way that if the firewall does not know who is attached to that IP address, it will go ahead and send that traffic to the captive portal. The user will be presented with a login page and they can log in using their Active Directory account or Radius or LDAP or local authentication. The captive portal can use multiple methods and can use the Nt Land Manager Challenge to the browser oractively by redirecting the user to a web authentication. The Ntlan Manager challenge works typically on Internet Explorer. Basically, what happens is the traffic that's coming into the firewall with a new user attached. The firewall would send a captive portal asking them for their NTLM credentials. This NTLM credential would be checked against ActiveDirectory to ensure that this user exists and also the group mapping would be determined. So this method is called "transparent to the user." It's going to automatically send the emptyLand Manager challenge to the browser. The browser will return the challenge and then the user will be identified. The other one is more intrusive, which is redirecting the actual user for authentication against Radius LDAP or local authentication. You can also use client certificate authentication. When a user logs in to Global Protect for either remote access or internal connections from inside the firewall, Global Protect is the VPN solution. From the trust side, The Global Protect process would identify the user and that would allow you to determine who the users are connected to which IP address. The other type of user access basically doesn't have a solution in place. You can use the XML API to determine the user that is associated with different IP addresses.

2. Installing User ID agent on AD

In this lecture we will see how to configure the user ID agent, the thick client user ID agent, and the steps that are necessary to get the user ID agent to work correctly. So here I have an environment where I have a Windows Eight client, I have a Windows domaincontroller, and then I have a member server. I am going to install the userID agent on the member server. The first step is to ensure that the domain controller is set up to log successful user logins. So we have to go to the group policies to make sure that this is the case. Go to group policy management. We're going to go to the domain itself and then go to the default domain policy, and then we're going to click on that, right click on that and click Edit. And then we have to make sure that the domain controllerpolicy is set up to log a successful log on attempt. So we're going to go under Windows settings. Local policies, audit policies, auditaccount log on events. We're going to check here, define these policy settings, and it's best practise to log in both success and failure, and then click okay. This will ensure that the domain controller will log user login events as both successful and unsuccessful. Success is what's required. The unsuccessful are basically best practice. And then we're going to close that and we are going to apply this policy. To apply this policy, we go to the command prompt and then type in GP Update. This will update the group policy to verify that we can go to MMC and then add the snap in for Computer Policy. Then go to computer configuration, windows, settings, security,local policies, auto policies, and audit account login events to make sure that this took effect. So now that that's in place, we're going to go to the member server and install the Windows agent. I have it downloaded here. I'm going to double click on that, click next, next close, and then we're going to find the software user at the agent. The first thing we have to do is click "set up." Create the username for the service log on account in Active Directory. And to do this, we have to set up that user account. So that was supposed to be a previous step. So let's go back to the domain server, and then we're going to go to the user management, and then we need to create a service account. We're going to call this a user agent, call this a user agent, give it a password, and then this is an article on what is required. So the service account in 2012 has to be a member of Distributed.com users and log readers and server operators. So we're going to find that user, then member of Distributed.com users,add that member event operators, event log readers, and then server operators apply. Then we're going to go to the WMI authentication portion. This is a requirement because the actual userID agent uses WMI to query the data. So we'll go ahead and do that stuff here. We're going to right-click and choose Properties, then select Security. Then under root cimv two, click on Security, find the account, add the account, and then we are going to check enable account and remote enable apply. And then we're going to go to the User ID agent and put this information in place. At the local level, change the username for the active directory useragent. This is the domain password for the server to monitor. We're going to enable security log monitoring and clientprobing like we said in the previous lecture. Client probing enables us to verify the user. If there's a high load of IP address changes, that's it. We're not using Syslog at this time. And then we're going to click Discovery auto scan. We're going to find the domain controllers. That's the domain. And then we're going to click "Submit." So the login was not accurate. Panel services finder, view local services, find user ID, log on We're going to use a local system account. That's fine. Let's go ahead and start it. I'm going to create a user and log into the Windows machine to check and see if I see that event. I'm going to go here in the domain controller and add a new user, test user one, test user one. And then we're going to check and see if we see that user's IP address. So we'll go ahead, go to the Windows Eightmachine, and then log in as that user. The user is in the process of logging in. Let's see. Let's see if the user agent captured that login. So we see here that IPadded was done and the user was identified. So in the next lecture we will see how to tie that into the firewall itself.

3. Configure the firewall to use user ID agent

In this lecture, we will see how to configure the Palo Alto firewall to connect to the user ID agent. The traffic from the users is going to change from the trust interface to the untrust interface. One key thing we have to remember is that in the actual zone, the users come from trust. We have to make sure that enabled user identification is checked. This will allow the Palo Alto firewall to realise that it has to know which user is mapped to which IP. And then to tie into the user ID agent, you go to the device user identification and then user ID agents and click add. We're going to add this user ID one of nine (2116).We need to know the port. Let's go back to the member server and look at TCP 5007, and then we're going to click okay. And then we're going to click commit, click okay. Then we're going to refresh to see if the user agent was able to connect. They were not able to connect. Let's go to the monitor system failed to connect to one eight two one sixty eight, one eleven detail none. So sometimes the Windows firewall blocks that. So let's check the firewall inbound rule. We're going to create a new rule for all programs. Port 5007 is the local port. Next, you can specify any IP address or the IP address of the firewall. We're going to specify all users' agent. I'm going to go to the command prompt and see if there's a session here. So the issue at hand here is the service. The service connection is coming from an incorrect interfaceservices service route configuration customize.Then we're going to put in 19216 as our destination 19216 8111.The Source interface is the inside interface, so that will force it to go out the interface because of my setup here. The management interface is going on the untrusted side for now. The actual wind server member thathas the user ID agent is on the trust side. So, if you want to get to that IP address, use this interface. So if you want to look at the configuration, that will show you what exactly is the configuration that's going to get sent to the device. Click on running config to Canada config, then click on Go. We see here that it's changing the setting. I'm going to use this interface and this address to connect to 168 111. So I'm going to go ahead and hit now, let's see. I'm going to go back to user identification, user ID agent, and now it's connected. Go back to the firewall. You can show your user ID. IP mapping All we see here is that there are two users identified by the system: the administrative user and right now this is the Windows eight client is 168 150.So let's go back here and check. But test user one is connected. So it didn't capture this information. So let me log out and log back in again. Look at the information one more time. For some reason, the IP address was reflected. It went back to the lab administrator. I think it's possibly because I'm logged in as a lab administrator as well. So I'm going to go ahead and reboot that. Windows eight Machine restart.Go ahead and log in again. Go back to the server here. to make sure this information is being captured. I will do a search on test users 168, 150 The loginname of lab test user one is changed to lab administrator. So for some reason it's getting changed by the active directory. Here we see the lab test user one. The login name gets changed from laptopuser to lab administrator. For some reason, it keeps on changing back and forth for some reason.I'm going to add this user to the local admin account. I'm going to select the entire directory. We'll use a user agent. I'll add a local admin. That's probably one of the issues. So I'm going to log out. I'm going to see if I can start the service as that user. Now maybe that's the issue. It's not working correctly. Okay, that was the issue. So let's see if the user agent is collecting data now. Logs from the Windows 8 machine. I'm going to log out and log back in again. Okay, so now it's working correctly. The permission on that member server was changed. It's probably easier to make the user agent as a local admin and that fixed that issue. So now we see the correct user attached to the Palo Alto Firewall. We see here that there's a connection. We had to change the service route to make sure it was able to reach it. We talked about service routes in the previous lecture, but that's important. Now that we have the user ID attached, we are going to be able to create policies based on users. That's one method. In the next lecture, we'll talk about using the actual user agent that's on the firewall itself as a method. Instead of working through installing software onservers, which is sometimes for the network team, is a big issue. So that allows you to just configure those user mapping agents on the firewall itself, which is a client list. It's a thin client, basically, because you don't have to install any software.

4. Configuring integrated User ID agent

So in this lecture we will see how toconfigure the user mapping feature on the actual firewall.Instead of using the user ID agent, we're gonnadelete the user ID agent tick client that weconfigured in a previous lecture and then configure theuser mapping on the firewall itself.So this is user mapping.You click on the edit andthen provide the username and password.We're going to use the sameaccount we created server monitor.We're going to enable security log.It looks exactly the same like theother one, like the full client.You can configure client probing cache user identificationtimeout by default 45 minutes and other.So here the Syslog filters cisco and you connectJuniper SA, it has all those Syslog filters.So you can send Syslog and click OK.Then you're going to go several monitor andput the IP address of the domain controller.Click okay.And then click commit.It says host, not reachable.So we have to create the same thing like wedid in the previous lecture, which is the service route.We have another destination telling it thatyou need to use the inside interface,click OK and then commit again.And now we're going to go to the user IDagent one more time and see if it's connected.And we see status is connected.That means it is actually working.And looking at the security events, we go tothe firewall and run the same command show userIP, user mapping and we see here the informationyou can run Discover as well.So that's a new feature in 7.0.But in order for you to run thiscover, we need to have an NTLM domain.So we put domain lab admin user and then click okay.So we're going to commit and if you havemultiple domain controllers in your environment, when you clickDiscover, it's going to find those domain controllers.And this feature lies on DNSlookup to determine the domain controller.So make sure that there is a DNS configuration here.There isn't.So we need to put the primary DNS server that'sgoing to be the domain controller and we're going toclick okay that already has a service route.So that should be good.So there should be nothing to commit right now.So you need to specify this command set device configsystem and the DNS domain for your internal domain.And then now let's do show user ID, IPuser mapping all and we see that it's gettingthe information from the actual domain controller.And also you can go back to user identification.The reason why we did this and put the NTLMdomain is for us to be able to discover insteadof adding so it discovered it here automatically.Since I put this by domain by IPaddress, it actually discovered the actual domain name.So this lecture showed you how to usethe integrated user ID agent on the firewallto get user IP mapping information.

5. Group to User ID mapping

So the next step in the process ofuser ID is to configure the group mapping.Because typically when you configure yourpolicies, you don't create policies forusers, you create policies for groups.So you first identify fi the userbased on the user IP mapping information.This information is correlated with theactual groups they belong to.So in order for us to set up thegroups, we have to add the LDAP information.So we have to log in.The LDAP is the back end database for ActiveDirectory and other directory services that keeps information onusers and group membership and other attributes.So in order for us to configure groupmapping, we're going to go to device createthe LDAP server, going to click Add.We're going to call this the ad server.You can check administrative views only if youwant to use this for administrator login.But this is going to be used for group mapping.We're going to add the name of the server.You can use SSL if you want.The type is active Directory.You have Active Directory either actually andson use Active Directory base the end.That's what we need to find out from the server.The base DN could be the actual root ou lablocal or it could be the actual users user container.I'm going to use the user container in my case,but you can use the root if you want.So if you go to attribute editorsyou would see this distinguished name.So that's the DN.So it's CN equal users by DN.I'm going to put theadministrator login doesn't require SSL.Click okay.Then we're going to click Commit commit.I'm going to go back toUser Identification group mapping settings.We're going to add I'm going to give it aname server profile is the LDAP server we created.The user domain is lab.Since this Active Directory, we're going toleave everything the same click okay.Then we're going to commit to find out if it works.We're going to go to group include list.If you see the actual usersand groups then you did okay.Now that we have this in place, we want tocreate some users so we can test different policies.So I'm going to create a couple of groups here onActive Directory and then add those groups into my policy.I want to create a group here calledNew Group and call it Marketing Users.And then I'm going to createanother group called it Users.For example, I want to also create a couple of users.We can test with marketing market user one andadd this user into the group marketing user.And then I'm going to go to my group mapping.I'm going to include those groups in my policy here.I'm going to add the it user included, add itto the included group and then the marketing user edit.So this groups are now in place I can use my policy.Bye.

ExamSnap's Palo Alto Networks PCNSE Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Palo Alto Networks PCNSE Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.