User-ID

User-ID: Tie users and groups to your security policies

User-ID seamlessly integrates Palo Alto Networks next-generation firewalls with a wide range of user repositories and terminal services environments. Depending on your network environment, there are a variety of ways you can map a user’s identity to an IP address. Some of these include:

• Authentication events
• User authentication
• Terminal services monitoring
• Client probing
• Directory services integration
• A powerful XML API

Once you identify the applications and users, full visibility and control within ACC, policy editing, logging and reporting is available.

Learn more about the User Visibility Feature.

Authentication events help you identify users.

You can configure User-ID to monitor authentication events for Microsoft Active Directory, Microsoft Exchange and Novell eDirectory environments. This is important because monitoring authentication events on the network allows User-ID to match the user with the IP address of the device they used to login with, which lets you enforce your policy on the firewall.

• Microsoft Exchange Server: You can configure User-ID to constantly monitor Microsoft Exchange logon events produced by clients accessing their email. Using this technique, you can even discover and identify MAC OS X, Apple iOS and Linux/UNIX client systems that don’t directly authenticate to Microsoft Active Directory.
• Novell eDirectory: User-ID can query and monitor logon information to identify users and group memberships via standard LDAP queries on the Novell eDirectory servers.
• Microsoft Active Directory: User-ID constantly monitors domain controller event logs to identify users when they log onto the domain. When a user logs onto the Windows domain, a new authentication event is recorded on the corresponding Windows Domain Controller. By remotely monitoring the authentication events on Windows Domain Controllers, User-ID can recognize those authentication events to identify users on your network. Armed with this information, you can create and enforce your policies.

Directory integration captures group membership information.

To allow you to specify security rules based on user groups and resolve group members automatically, User-ID integrates with nearly every directory server – including Microsoft Active Directory – using a standards-based LDAP protocol and flexible configuration. Once you configure User-ID, your Palo Alto Networks firewall automatically retrieves and constantly updates user and user group information, and automatically adjusts to changes in your user base or organization.

User authentication events capture non-Windows domain users.

By capturing non-Windows domain users through user authentication events, you can configure a challenge-response authentication sequence to collect user and IP address information.

• Captive portal: If your administrator needs to establish rules to make users authenticate to your firewall before accessing the Internet, or you can’t identify a user through other techniques, you can deploy a captive portal. In addition to requiring an explicit username and password prompt, you can also configure your captive portal to send an NTLM authentication request to the web browser to make the authentication process totally transparent to the user.
• GlobalProtect: Remote users logging into your network with GlobalProtect have to provide user and host information to your firewall. You can use this information for policy control.

Terminal services integration.

In environments where a user’s identity is hidden by Citrix XenApp or Microsoft Terminal Services, our User-ID Terminal Services Agent can determine which applications users are accessing. We can also identify users sharing IP addresses working on Microsoft Windows Terminal Services or Citrix. Completely transparent to the user, every user session is assigned a specific port range on your server. This allows your firewall to associate network connections with users and groups sharing one host on your network.

Client and host probing captures Windows user information.

The following two techniques enable you to configure User-ID to monitor Windows clients or hosts to collect an identity and map it to the IP address.

• Client probing: If you can’t identify a user by monitoring authentication events, User-ID actively probes Microsoft Windows clients on your network for information on the user currently logged on. Through this, you can reliably identify laptop users who switch back and forth from wired to wireless networks.
• Host probing: You can also configure User-ID to probe Microsoft Windows servers for the active network sessions of a user. As soon as a user accesses a network shared on your server, User-ID identifies the originating IP address and maps it to the user name they provided to begin the session.

XML API integrates with other, non-standard repositories.

In some cases, you may already have a user repository or an application for storing information on users and their current IP address. If so, our XML API within User-ID enables you to quickly integrate user information with your security policies. Here are some examples of how our XML API can be used to collect user and IP address information.

• Wireless environments: If you use 802.1x to secure your corporate wireless networks, a syslog-based integration with our User-ID’s XML API can identify users as they authenticate to your wireless infrastructure.
• Proxies: Similarly, an authentication prompted by a proxy server allows the XML API in User-ID to parse the authentication log file for user and IP address information.
• Network Access Control (NAC): The XML API allows you to harvest user information from NAC environments. For example, Bradford Networks, a NAC solutions provider, uses our User-ID XML API to populate user logons and logoffs for its 802.1x solution. This integration allows joint customers to identify users as soon as they connect to the network and set user-based enablement policies.