PaloAlto Ignite 2012 notes: USER-ID

This article is part of a series which depicts some of the notes I took during several sessions in the Palo Alto Networks Ignite conference in Las Vegas.


– Palo Alto uses the following sources for user ID:

  • Logs: Active Directory Domain Controllers, Exchange Servers, eDirectory
  • Terminal Server Agent
  • Client Probing (WMI only)
  • Captive Portal
  • Global Protect
  • Agentless USER-ID
  • PAN Agent (windows)

– LDAP is used to map a user to his/her respective group/s

– In a multi-domain environment, an admin can use:

  • multiple group mappings
  • query global catalogs

– User IPs can be both IPv4 and IPv6

– FQDNs can resolve to both IPv4 and IPv6

– NTLM can only be queries from vsys1 (this is a MS limitation due to virtualised systems being non-supported)

– Firewalls can now share user ID mappings including those gained from global protect, IPSec, captive portal, etc. That is, firewalls can become user agents for other firewalls.

– Agentless USER-ID deployments are more suited to smaller deployments since a small amount of memory and CPU cycles need to be allocated, especially in the 2000 series

– Agent based deployments server multiple devices to reduce the number of queries, and acts as a caching agent which is important to conserve resources

– X-forwarded-for header can only be used in logs, not in policy (yet)

– One can identify Linux Clients by:

  • examining exchange logs
  • join linux PCs to the AD domain via kerberos
  • writing a custom syslog parser that leverages the XML API

– If no PSK is set, firewalls can be queried for their USER ID mappings


One thought on “PaloAlto Ignite 2012 notes: USER-ID

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.