Sunday, March 22, 2020

Palo Alto Networks - User-ID at Home

User-ID is one of the core tenets of Palo Alto Networks firewalls, and is very useful when implementing identity-based policy in an enterprise environment. User-ID can be leveraged from a variety of sources (GlobalProtect is a great option). Given the proliferation of IoT (especially at my house 😂), User-ID can be difficult to leverage across all devices given that technically there may not be an actual user logged in. With that in mind, I wanted to share a method that maps hostnames from DHCP leases in the system logs to their corresponding IP addresses. This allows administrators to leverage User-ID in policy for devices without an actual user account.

Note - This post assumes that you are using the firewall as your DHCP server, but realistically, any DHCP server capable of forwarding logs to the firewall can be used.

  •  Navigate to Device -> Server Profiles -> Syslog -> Add to create a new syslog profile
    • Enter a Profile Name
    • In the Servers tab, Add a new server
    • Enter a Name
    • Enter the Syslog Server address
      • In my case, it is the trust interface of the firewall
  • Navigate to Device -> Log Settings -> System -> Add to create a new Log Setting - System
    • Enter a Profile Name
    • Set the Filter to (eventid eq lease-start)
    • Add the Syslog server profile that you created previously
    • Click OK
  • Navigate to Device -> User Identification -> User Mapping -> Palo Alto Networks User-ID Agent Setup (the gear icon) -> Syslog Filters -> Add to create a new Syslog Parse Profile
    • Enter a Syslog Parse Profile Name
    • Set Type to Regex Identifier
    • Enter DHCP\ lease\ started for Event Regex
    • Enter hostname ([a-zA-Z0-9\_\[\]\-]+) for Username Regex
    • Enter ip ([A-F0-9a-f:.]+) for Address Regex
    • Click OK
    • Click OK
  • Navigate to Device -> User Identification -> User Mapping -> Server Monitoring -> Add to create a User Identification Monitored Server
    • Enter a Name
    • Set the Type to Syslog Sender
    • Set the Network Address
      • In my case, it is the trust interface of the firewall
    • Set Connection Type to UDP
    • Add the Syslog Parse Profile that you created previously
    • Click OK
  • Navigate to Network -> Zones -> select the zone(s) on which your devices reside -> check the Enable User Identification check box
  • Navigate to Network -> Network Profiles -> Interface Mgmt -> Add to create an Interface Management Profile
    • Note - If you already have one that is applied to your trust interface, then you can simply edit that one.
    • Check the User-ID Syslog Listener-UDP check box
    • Click OK
  • Navigate to Network -> Interfaces -> select the trust interface -> Advanced -> Other Info -> Management Profile -> select the Management Profile you created previously
  • Commit the configuration
  • Test the changes by clearing/renewing some leases and then navigate to Monitor -> Logs -> System and filtering by ( eventid eq lease-start ) to see entries such as:
  • You will also see traffic logs with the Source User column populated by navigating to Monitor -> Logs -> Traffic:
Posted by at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)