- The mapping of IP addresses to actual user account information. This is imperative for troubleshooting and/or analyzing logged data, as IP address assignments change over time.
- The usage of user/group information within a security policy. This allows administrators to get very granular with how they enforce corporate security posture.
In most Palo Alto Networks firewall deployments, I see User-ID configured via an agent that ties into Active Directory. However, this is typically where the integration stops. It is imperative that as much user information as possible is ingested by the firewall so that logs and security policy remain consistent. User-ID provides other mechanisms by which we can tie into user account information (i.e. syslog, API, etc.). After all, active directory is only one of those ways. Specific to Aruba Networks Instant APs, the integration is very straightforward.
In the virtual controller GUI, navigate to More -> Services -> Network Integration, enter the necessary information, and click OK.
Create a new SSID, leveraging 802.1X as the authentication mechanism.
Upon logging into the SSID with Active Directory credentials, you will begin to see the source user information populate in the Palo Alto Networks firewall logs.
No comments:
Post a Comment