User expert forum user-id


Published on

Palo Alto Networks Expert Forum - User-ID - Melbourne, Australia, 23 October 2013.
Alberto Rivai, CCIE#20068, CISSP

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

User expert forum user-id

  1. 1. User-ID User Expert Forum, 23 October 2013 Alberto Rivai, CCIE #20068, CISSP Systems Engineer © 2013 Palo Alto Networks. Proprietary and Confidential
  2. 2. Identification Technologies Transforming the Firewall App-ID Identify the application User-ID Identify the user Content-ID Scan the content
  3. 3. A-I-A Authentication Identification The firewall determines the identity of the user directly Firewall learns the identity of the user from another, trusted system Authorization Assigning rights to an Authenticated user
  4. 4. User-ID Flow A combination of methods are used to find User and Group information and map those Users to session source IP address(es)
  5. 5. User-ID Session Information • Each session contains source IP address and App-ID(s) • User-ID maps a user name to the source IP address • Security Policy can then use source user, source IP, and App-ID as match criteria Session from contains uTorrent!!! Which user is logged in at
  6. 6. User-ID Process • Enumerating Users and Groups • Mapping Users to IP addresses
  7. 7. Enumerating Users and Groups © 2013 Palo Alto Networks. Proprietary and Confidential
  8. 8. Enumerate Users and Groups • Firewall accesses the directory via LDAP - Find specific users - Find groups and group membership - Maintain User-to-Group Mapping Domain Controllers
  9. 9. LDAP Configuration
  10. 10. Group Mapping configuration Default 60 seconds
  11. 11. Group Mapping configuration
  12. 12. Verify Group Mapping admin@PA-VM> show user users-IDs Verify members of the group mapping
  13. 13. Refresh Group Mapping
  14. 14. Refresh Group Mapping admin@PA-VM> debug user-id refresh group-mapping all
  15. 15. Useful CLI Commands admin@PA-VM> show user group list admin@PA-VM> show user group name <groupname>
  16. 16. Useful CLI Commands admin@PA-VM> show user group-mapping state all admin@PA-VM> show user group-mapping statistics
  17. 17. Remember, by default the firewall directly through the MGT port accesses the directory via LDAP Domain Controllers Select the check box if the User-ID Agent is to be used as a LDAP proxy instead of the firewall connecting directly to the directory service.
  18. 18. Mapping Users to IP addresses © 2013 Palo Alto Networks. Proprietary and Confidential
  19. 19. User-ID configuration Zone
  20. 20. User-ID Agent Types Device > User Identification Configured on the Firewall Configured on a Windows system
  21. 21. Mapping Users to IP Addresses with Windows Agent © 2013 Palo Alto Networks. Proprietary and Confidential
  22. 22. Install Windows agent in any member server • Local administrator account • Log on as service • For Win2K8, Add the service account user to the “Event Log Reader” and “Server Operator” built in local security groups in the domain. • For Win2K3, the user right “Manage auditing and security log” must be given to that account.
  23. 23. Server Monitor Tab How often new user logins are detected by reading the security log on the AD server, 1 second default.
  24. 24. AD Security Logs • By default Active Directory records the Username and IP address of successful login events • Agent must have rights to read the security log Domain Controller 1 User-ID Agent Domain Controller 2
  25. 25. AD Security Logs • On Windows 2003 DCs: - 672(Authentication Ticket Granted, which occurs on the logon moment), - 673(Service Ticket Granted) - 674(Ticket Granted Renewed which may happen several times during the logon session) • On Windows 2008 DCs: - 4768(Authentication Ticket Granted) - 4769(Service Ticket Granted) - 4770(Ticket Granted Renewed)
  26. 26. AD Security Logs • The mappings will be maintained for a configurable time out, which is recommended to be set to half the DHCP lease time used in the environment. • Client systems in an AD domain using the default configuration will attempt to renew their tickets every 10 hours.
  27. 27. Server Monitor Tab How often additional user → IP address mappings are derived by reading the session table of active resources on the AD server, 10 second default
  28. 28. Shared Server sessions • When AD users connect to printer or file shares, the server logs the user name and IP address. • Will only refresh known User/IP mappings • The agent must have rights to view the current open sessions on the Domain Controller • The agent will require Server Operator privileges to read the session table. User-ID Agent Shared Server
  29. 29. Client Probing How often the agent will issue WMI/NETBIOS queries to desktops, 20 minute default.
  30. 30. WMI Query • If no mapping can be achieved with passive methods, the Agent switches to active methods • WMI queries can be sent to workstations to find users - Requires WMI be enabled on each system User-ID Agent
  31. 31. WMI Query • Each learned IP will be probed once per interval period. • When receives an IP address that has no user data associated with it, the firewall will send the IP to all the AD agents configured and will request them to probe in order to determine the user. • This request will be added to the queue along with the known IP addresses waiting to be polled. If the Agent is able to determine the user IP based on the probe, the information will be sent back to the firewall.
  32. 32. WMI Query • The underlying WMI query that is sent can be simulated with the following command, where remotecomputer would be the IP address of the system being probed: wmic /node:remotecomputer computersystem get username
  33. 33. Cache Tab How long entries in the IP to username cache kept by the agent are valid. Current entries can be viewed from the main User Identification Agent Screen under IP to Username Information, 45 minutes default. The user ID cache timeout on the Windows agent only dictates how long the mapping will live on the Agent itself. The firewall will timeout all ip mappings in 60 minutes.
  34. 34. Agent Service Tab
  35. 35. Mapping Users to IP Addresses with Firewall Agent © 2013 Palo Alto Networks. Proprietary and Confidential
  36. 36. WMI Authentication
  37. 37. Server Monitor How often additional user → IP address mappings are derived by reading the session table of active resources on the AD server, 2 second default
  38. 38. How often the agent will issue WMI queries to desktops, 20 minute default.
  39. 39. Specify the collector name if you want this firewall to act as a user mapping redistribution point for other firewalls on your network. The collector name and pre-shared key are used when configuring the UserID Agents on the firewalls that will pull the user mapping information. Device -> user Identification -> User-ID Agents
  40. 40. Best practices © 2013 Palo Alto Networks. Proprietary and Confidential
  41. 41. User Data Redistribution • Firewalls can act as User Agents to each other for IP Address mapping • Enabled on interfaces as part of the interface management profile • Redistributes address mappings learned locally - Will redistribute Captive Portal and Global Protect users - Does not redistribute mappings learned from other agents Windows Server UID Agent GlobalProtect Agent
  42. 42. Scaling to complex environments Large / Distributed Global Sites DC’s in every location Many AD domains or forests Hundreds of Firewalls Non AD RADIUS Group based Apple Open Directory Other LDAP Subscriber DB Scores of VSYS Solutions Hardware Agents Dedicated HW Agents MS Log Forwarding Solutions API – Probably over SYSLOG
  43. 43. PAN-OS Agent vs. Software Agent • Both read security logs from servers • Hardware PAN-OS agent much more efficient for bandwidth Just User - IP << X MB Full Security Log X MB of data Just required event ID’s .05X MB of data
  44. 44. Microsoft Log forwarding • Simplifies the DC environment for the Agent • Great for rapidly expanding networks where tracking new DC’s is difficult • Built into Windows Log forwarding Agent reads logs DC1 DC2 Member server DC3
  45. 45. User-ID API © 2013 Palo Alto Networks. Proprietary and Confidential
  46. 46. User-ID XML API • API allows user data to be pulled from other sources on the network • Defines a XML payload sent to User-ID over SSL •A script on an external device uses the User-ID API to send updates to User-ID User-ID updates User-to-IP Mapping on the firewall
  47. 47. Enabling User-ID Agent for User-ID API • XML-formatted data is sent to the User-ID Agent • Software agents must be enabled to accept XML API requests that then sends it to the firewall via SSL • The PAN-OS agent is always enabled • A User-ID Agent permission can be used to create an administrator account to accent XML API connections
  48. 48. Additional User-ID API XML Request Options <login> Entry Timeout <entry name=”domainuid1” ip=”” timeout=“20”> <groups> <entry name=“finance-group”> <members> <entry name=”domainuid1”> Local Group Membership <entry name=”domainuid2”> </members> </entry> </groups> <entry name=”domainuid1” ip=”” timeout=“20”> HIP Profile Information <hip-report> … </hip-report>
  49. 49. Use Case : Catholic Education SA netwan/scripts/wiki/CE Filter-UID-RADIUSscript Microsoft AD, DHCP and NPS Microsoft AD, DHCP and NPS
  50. 50. Resources • • • RADIUS-script