This article is part of a series which depicts some of the notes I took during several sessions in the Palo Alto Networks Ignite conference in Las Vegas.
USER-ID
– Palo Alto uses the following sources for user ID:
- Logs: Active Directory Domain Controllers, Exchange Servers, eDirectory
- Terminal Server Agent
- Client Probing (WMI only)
- XML API
- Captive Portal
- Global Protect
- Agentless USER-ID
- PAN Agent (windows)
– LDAP is used to map a user to his/her respective group/s
– In a multi-domain environment, an admin can use:
- multiple group mappings
- query global catalogs
– User IPs can be both IPv4 and IPv6
– FQDNs can resolve to both IPv4 and IPv6
– NTLM can only be queries from vsys1 (this is a MS limitation due to virtualised systems being non-supported)
– Firewalls can now share user ID mappings including those gained from global protect, IPSec, captive portal, etc. That is, firewalls can become user agents for other firewalls.
– Agentless USER-ID deployments are more suited to smaller deployments since a small amount of memory and CPU cycles need to be allocated, especially in the 2000 series
– Agent based deployments server multiple devices to reduce the number of queries, and acts as a caching agent which is important to conserve resources
– X-forwarded-for header can only be used in logs, not in policy (yet)
– One can identify Linux Clients by:
- examining exchange logs
- join linux PCs to the AD domain via kerberos
- writing a custom syslog parser that leverages the XML API
– If no PSK is set, firewalls can be queried for their USER ID mappings
David Vassallo's Blog 
One thought on “PaloAlto Ignite 2012 notes: USER-ID”