PaloAlto Ignite 2012 notes: USER-ID

This article is part of a series which depicts some of the notes I took during several sessions in the Palo Alto Networks Ignite conference in Las Vegas.

USER-ID

  • Palo Alto uses the following sources for user ID:
  • Logs: Active Directory Domain Controllers, Exchange Servers, eDirectory
  • Terminal Server Agent
  • Client Probing (WMI only)
  • XML API
  • Captive Portal
  • Global Protect
  • Agentless USER-ID
  • PAN Agent (windows)
  • LDAP is used to map a user to his/her respective group/s
  • In a multi-domain environment, an admin can use:
  • multiple group mappings
  • query global catalogs
  • User IPs can be both IPv4 and IPv6
  • FQDNs can resolve to both IPv4 and IPv6
  • NTLM can only be queries from vsys1 (this is a MS limitation due to virtualised systems being non-supported)
  • Firewalls can now share user ID mappings including those gained from global protect, IPSec, captive portal, etc. That is, firewalls can become user agents for other firewalls.
  • Agentless USER-ID deployments are more suited to smaller deployments since a small amount of memory and CPU cycles need to be allocated, especially in the 2000 series
  • Agent based deployments server multiple devices to reduce the number of queries, and acts as a caching agent which is important to conserve resources
  • X-forwarded-for header can only be used in logs, not in policy (yet)
  • One can identify Linux Clients by:
  • examining exchange logs
  • join linux PCs to the AD domain via kerberos
  • writing a custom syslog parser that leverages the XML API
  • If no PSK is set, firewalls can be queried for their USER ID mappings