Scribd
Upload
21 views26 pages

EDU 311 80a MOD 07 User ID

Uploaded by

anhtuan29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
21 views26 pages

EDU 311 80a MOD 07 User ID

Uploaded by

anhtuan29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

User-ID Troubleshooting

EDU-311

PAN-OS® 8.0

Courseware Version A
Agenda
§ Agent connection status

§ User-ID best practices

§ User-to-IP mapping

§ Authentication policy (Captive Portal)

2 | ©2017, Palo Alto Networks, Inc.


Agent Connection Status

3 | ©2017, Palo Alto Networks, Inc.


User-ID Overview
A combination of PAN-OS® software and User-ID agent gathers user and group
information and uses it to map users to the source IP addresses of sessions.

4 | ©2017, Palo Alto Networks, Inc.


User-ID Agents Connection Status
Device > User Identification

(green) User-ID agent communicates to firewall


(yellow) User-ID agent not enabled on the firewall
(red) No connection to the User-ID agent

5 | ©2017, Palo Alto Networks, Inc.


Viewing Software Agent Logs
Basic search in Agent UI

Use Text Editor for more search options

6 | ©2017, Palo Alto Networks, Inc.


Viewing Firewall Logs
Monitor > Logs > System

Enable agent debug level:


> debug user-id agent <agent> on debug
Forward agent logs to firewall:
> debug user-id agent <agent> receive yes
Page through agent logs:
> less agent-log 1/CSE-AD.log
Disable agent debug:
> debug user-id agent <agent> off

7 | ©2017, Palo Alto Networks, Inc.


Displaying the Connected User-ID Agent
§ Determine the agent being used by the firewall:
> show user user-id-agent statistics

§ An agent with * in the Usage column is in use:

8 | ©2017, Palo Alto Networks, Inc.


User-ID Best Practices

9 | ©2017, Palo Alto Networks, Inc.


User-ID Best Practices
§ Configure well-connected Domain Controllers on top of the list.

§ Filter the list of groups to gather to include only groups that will be used in
actual policy rules:
• To make sure that all users are tracked, include the group Domain Users.

§ Use Domain Global groups in a policy rule only in multi-domain environments:


• Note that this practice is not aligned with traditional Microsoft AD practice, where
Domain Local groups are used to control rights and access.

§ If you have agents on slow or busy links, configure only well-connected agents
first, and then run a commit before adding the slower-connected agents.

10 | ©2017, Palo Alto Networks, Inc.


User-ID Agent Best Practices
§ Configure the age-out timer value for the agent to half of the DHCP lease time

§ WMI is recommended over NetBIOS:


• Configure the probing interval based on the total number of users in the environment

11 | ©2017, Palo Alto Networks, Inc.


Show User-Group Relation
Show current user-group relationship in memory:

admin@PA-5250> show user user-ids

User Name Vsys Groups


--------------------------------------------------------------
domain\user1 vsys1 domain\applications
domain\domain users
domain\user2 vsys1 domain\domain users
domain\groupalpha
domain\groupbravo
domain\users

12 | ©2017, Palo Alto Networks, Inc.


Show Group Members
Show members of each group:
admin@PA-5250> show user group name <group-name>

[1 ] domain\paul

[2 ] domain\john

[3 ] domain\gretchen

[4 ] domain\rhonda

[5 ] domain\jorge

Note: Group membership can be different from that in the dataplane.

13 | ©2017, Palo Alto Networks, Inc.


User-to-IP Mapping

14 | ©2017, Palo Alto Networks, Inc.


User-to-IP Mapping
Show users and associated IP addresses:
admin@PA-5250> show user ip-user-mapping all

IP Ident. User Idle Max.


By Timeout (s) Timeout (s)
--------------- ------ ----------- ----------- ----------
172.57.124.115 AD domain\john 56 56
192.44.120.22 AD domain\paul 60 60
192.196.18.157 AD domain\gretchen 72 72
65.218.23.184 AD domain\rhonda 249 249
10.142.47.122 AD domain\jorge 2106 2106

15 | ©2017, Palo Alto Networks, Inc.


Modifying the User Cache
For testing purposes, you can modify the authenticated user database using the
following commands:

> debug user-id refresh user-id ip <ip-address>


> debug user-id refresh group-mapping all
> clear user-cache all
> clear user-cache ip <ip-address>

16 | ©2017, Palo Alto Networks, Inc.


Additional User-ID Agent Commands
§ Display information related to directory servers:
> show user server-monitor statistics
> show user server-monitor state all

§ Show current status of host probing:


> debug user-id dump probing-stats

§ Display mappings in the dataplane and the control plane:


> show user ip-user-mapping [all | ip <ip-address>]
> show user ip-user-mapping-mp [all | ip <ip-address>]

17 | ©2017, Palo Alto Networks, Inc.


Userinfo.xml
§ After the firewall discovers all user/group relationships, it will generate a file
named userinfo.xml.
§ The file stores all user and group names for each virtual system:
admin@PA-5250> less mp-global userinfo.xml

<?xml version="1.0" encoding="UTF-8"?>


<config>
<devices>
<entry name="localhost.localdomain">
<vsys>
<entry name="vsys1">
<user>
<entry name="domain\jorge" id="13767"/>
<entry name=" domain\rhonda" id="1974"/>
[...]

18 | ©2017, Palo Alto Networks, Inc.


Authentication Policy (Captive Portal)

19 | ©2017, Palo Alto Networks, Inc.


Authentication Policy in 8.0
§ Applies to known and unknown users 7.1 | Policies > Captive Portal

§ Adds a timeout period:


• Bypass challenges for subsequent sessions
after successful authentication
• Use to balance user productivity/workflow
versus network control
§ Enables multi-factor authentication: 8.0 | Policies > Authentication
• Choose how many challenges of different
types to which users must respond
• Use added support for SAML
§ User-ID Captive Portal still exists:
• Updates user mappings
• Records authentication timestamps

20 | ©2017, Palo Alto Networks, Inc.


Captive Portal Best Practices
§ Configure Captive Portal in redirect mode when possible:
• A single interface can be configured for Layer 3 operations to host a portal
for deployments using Layer 2 or virtual wire.

§ If you use RADIUS, ensure the proper default domain is configured for users.
If no domain is provided during login, then the default domain will be assumed.

§ Kerberos authentication requires fewer configurations for AD environments


than does LDAP.

21 | ©2017, Palo Alto Networks, Inc.


Verify Authentication Policy
§ Display the current Authentication (and Captive Portal) policy:
> show running authentication-policy

§ Verify if specific traffic will match an Authentication policy:


> test authentication-policy-match ...

22 | ©2017, Palo Alto Networks, Inc.


No Source User in Sessions
§ If the show user ip-user-mapping command displays many users, but none
of the sessions contains the source user, ensure that the zone(s) have the
User-ID agent enabled.

§ If the IP-to-user mapping is not present, often the agent did not receive
information from its sources:
• Verify IP-to-user mapping on the agent first, before debugging on the firewall.

§ If the agent does not see an entry, check the source of the mapping:
• For AD, check Domain Controller Security logs for login events
• For LDAP, query the user to see if the network address field is correct

23 | ©2017, Palo Alto Networks, Inc.


Potential User-ID Agent Configuration Issues
§ NetBIOS name instead of FQDN for Domain Controller identification

§ Firewall between the User-ID agent and the Palo Alto Networks firewall

§ The User-ID agent wasn’t stopped before you upgraded to a newer version

§ User identification not enabled in a corresponding security zone

§ Wrong credentials configured on the User-ID agent

24 | ©2017, Palo Alto Networks, Inc.


Questions?

25 | ©2017, Palo Alto Networks, Inc.


Secures the Network

You might also like