Installation Steps for PAN User-ID Agent
If you have an Active Directory domain, and would like the Palo Alto Networks firewall to
match traffic to particular logged-in users, you can install the PAN User-ID Agent. The User-ID
agent will query the specified domain controllers, searching the security logs for particular event
IDs, and use that information to create a database of currently logged in users and their
associated IPs. That database of information is then pushed to the PAN firewalls, where it is used
for policy enforcement, and traffic logging.
Note that PANOS 3.0 now supports tracking users on Terminal Servers and Citrix Servers. To do
this, you must install the Terminal Server Agent on the TS/Citrix server; refer to the PANOS 3.0
Administrators Guide for instructions.
To determine beforehand:
• Determine onto which machine the User-ID Agent will be installed. That machine must:
o be running Windows XP service pack 2, or Windows Server 2003 service pack 2,
or Windows Server 2008
o be a member of the domain to be monitored
o have network connectivity to the DCs and to the management port of the PAN
firewall
o should be near the DCs that it will be querying
• Determine which user account will be used by the User-ID Agent to query the domain.
You can either use a Domain Administrator account, or set up a more restrictive account
as described in Appendix A of this document (turn to page Appendix A11).
• Determine which domain (with corresponding domain controllers) that the User-ID
Agent will be querying. Note that you need one User-ID Agent for each domain. One
User-ID Agent can handle a maximum of 64,000 users in a domain.
Part 1: Installing and Configuring the User ID Agent
1. Login to the PC that you will use to run the User-ID Agent. For this initial installation,
login as a domain administrator.
2. Download the latest version of the User Identification Agent (PanAgent.msi) from
https://support.paloaltonetworks.com.
PANOS 3.0.0 1
� 3. Install that file, accepting the all the defaults. This installs the software as a service on the
PC.
4. You will now configure the User-ID Agent service to run under a different account.
Bring up the Services administrative tool, services.msc.
5. In the list of services, edit the PanAgentService. You will see this screen:
On the LogOn tab, specify the username and password of an account that has the ability
to read the domain controller security logs. Refer to Appendix A on page 11 for the steps
to create such an account.
In this example, the account is called PANuserid, in the acme domain.
6. In order for the service to run as that user, you must start or restart that service. Use the
General tab to do that now. Close the Services control panel.
PANOS 3.0.0 2
� 7. Start the User-ID Agent configuration program (Start -> Programs -> Palo Alto
Networks -> User Identification Agent). In the top-right corner, click Configure. On
the configuration screen, fill in the following fields:
• Domain name- enter the FQDN of the domain (example: acme.com)
• Port number of your choosing- can be any port number that is not currently used
on this machine. Make sure the local machine does not have a Windows firewall
that is blocking inbound connections on that port.
• Domain controllers IP addresses - You should add in ALL the DCs in the
domain here, since users can be authenticated with any DC in the domain. You
can enter up to 100 IP addresses.
• Allow list- list of subnets that contain users you want to track.
• Ignore list- IP addresses of machines you do not want to track.
Here is an example:
In the bottom left corner of that same window, there are various timer values that you
may want to adjust after the User-ID agent is operational. For now, accept the default
values.
Once you are finished, click OK.
PANOS 3.0.0 3
� 8. (OPTIONAL) On the main page of the User-ID Agent, you can specify which AD groups
you do or do not want to forward to the PAN firewall. The Filter Group Members and
Ignore Groups buttons are in the top right-corner of the main screen. You will want to
configure one or the other, but probably not both.
• Use Filter Group Members if you have a large number of groups in the domain,
and you want to specify exactly which groups the User-ID Agent will look for in
the domain security logs.
• Use Ignore Groups if you want the User-ID Agent to pay attention to all of the
AD groups, but ignore a handful of those groups.
Click on Filter Group Members, and the screen below appears. Select the AD groups
you want to control using the PAN firewall.
Note that only the groups in the right-hand column will appear in the policy configuration
screen on the PAN firewall, as shown here:
PANOS 3.0.0 4
� 9. On the main screen, click on Get LDAP tree button. The User-ID Agent service will
query the domain and retrieve a list of all of the groups in the domain. This will take a
few minutes if the domain is large. Once the groups are retrieved, information will appear
like below:
10. You can monitor the agent status window in the top left corner.
Possible status codes:
• Connection Failed
• Please start the PanAgent service first
• Reading domainname\enterprise admins Membership
• No errors
11. Click on Get Groups, and a list of domain groups will appear in the pull-down list.
PANOS 3.0.0 5
� 12. After the agent has read all the security groups, it will read through the 50,000 most
recent log entries in each Domain Controller’s security log, searching for login events1.
(Again, this may take a while.) The User ID Agent will create list of usernames and
associated IPs. Click on Get All to see the IP to username mappings.
13. If you have a particular IP address in mind, and want to find out which user maps to that
IP, you can enter that IP to the left of the Get IP Information button. Click that button,
and the name associated with that IP will appear.
14. To confirm that the server running the User-ID agent is listening on the port you
configured in a previous step, use the following command on the PC:
netstat –an | find “xxxx”
where xxxx is the port number you configured earlier. Here is example output, showing
that the UserID agent is in fact listening on port 9999:
1
Event IDs on Windows 2000 & 2003: 672,673,674. Event IDs on Windows Server 2008: 4624,4768,4769,4770.
PANOS 3.0.0 6
�Part 2: Configuring the firewall to communicate with the User-ID Agent
15. Login to the PAN firewall as admin. Go to Device tab -> User Identification.
16. In the left column, Add the IP address and port of the User-ID Agent. Here is an
example:
17. You must also enable user identification on each zone that you want to monitor. On the
Network tab -> Zones page, edit the appropriate zones (example: tapzone). In the bottom
left corner of the zone properties page, check the box to Enable User Identification.
18. The firewall is now configured. Commit your changes at this time.
19. To confirm everything is configured properly, bring up a CLI to the firewall, and execute
this command:
show pan-agent statistics
PANOS 3.0.0 7
�You may get this output, which probably means that you haven’t committed:
Or you may get this output, which indicates things are working properly:
20. You can view the defined AD usernames and associated groups using:
show pan-agent user-IDs
PANOS 3.0.0 8
�Part 3: Testing
21. At this point, you can test by logging into the domain as a regular user, on machine in the
IP address range you specified to be monitored by the agent. After a few minutes,
usernames will appear in the traffic logs (Monitor tab -> Logs -> Traffic) as well as in
the ACC drill-downs of particular applications.
22. On the firewall, go to the Policies tab-> Security screen, and select one of the policies.
Edit the value in the Source User column. In the window that appears, you will see a
listing of Active Directory Groups—these were pulled from the domain. Recall that if
you filtered the groups, only the groups you specified will appear here.
Part 4: Troubleshooting Hints
23. You can view the currently-logged in users using:
debug dataplane show user all
If there is a long list of users, and you want to determine if a particular user (example:
jpage) is in the list, use this command:
debug dataplane show user all | match jpage
Or you can search the output for a particular source IP:
debug dataplane show user all | match 172.16.1.14
PANOS 3.0.0 9
� 24. For testing purposes, you can clear the logged-in user database on the PAN firewall,
either for a single-IP, or the complete database:
debug dataplane reset user-cache ip 1.1.1.9
debug dataplane reset user-cache all
To re-establish the connection with the User-ID Agent, run this command:
debug device-server reset pan-agent all
25. Ignoring Service Accounts
Some customers have batch files that execute after a user logs in, and these batch files
run as a different AD account. That service account may appear in the User-ID Agent
user database. If that is the case, you can tell the User-ID Agent to ignore that particular
user account. To do this, create a file called “ignore_user_list.txt” in the directory in
which the User-ID Agent was installed (typically c:\Program Files\Palo Alto
Networks\PanAgent). Put in that file the name of the service account that you want the
User-ID Agent to ignore.
26. The User-ID Agent maintains a log file which is very useful for troubleshooting. The log
file can be viewed using File -> Show Logs.
To enable detailed information on the User-ID Agent operation, go to File -> Debug and
select Verbose. The logs will now display more detailed messages.
PANOS 3.0.0 10
� Appendix A
Creating a Domain Account for use with PanAgent Service
The User-ID agent must have the ability to read the security log on the domain controllers. In
particular, the user right “Manage auditing and security log” must be given to that account.
The Domain Admins group has that user right by default. If you want to create an account
that has more restrictive access than Domain Admins, follow these steps.
1. Login to a domain controller as an administrator. Start Active Directory Users and
Computers. In an OU that is appropriate, create a new account. You can give it any name
you’d like.
Assign a password to the account, and uncheck the box “user must change password at
next logon.”
PANOS 3.0.0 11
� 2. Now Edit the Default Domain Controller Security Policy, found under Programs ->
Admin Tools. Drill down to Security Settings -> Local Policies -> User Rights
Assignment. You will see the screen below.
3. In the right-hand pane, locate the user right “Manage auditing and security log”. Double-
click that entry. You will see that only Administrators have that user right.
PANOS 3.0.0 12
� 4. Click Add User or Group.
5. Click Browse.
6. Enter the username of the account you just created, and click on Check Names to confirm
that account exists. The account name will become underlined.
7. Click Ok two times. The user right will now look like this:
8. Close that screen, as well as exit from the Default Domain Controller Security Policy
tool.
PANOS 3.0.0 13
� 9. In order for this policy to take effect immediately, run this command on each domain
controller in the domain:
If you do not run this command on each DC, it will take up to 60 minutes for this change
to be propagated.
10. To perform an initial test, logout of the DC, and log back into the DC as the new user
(PanUserID).
11. While logged in as the new user, start event viewer (hint: from a command prompt, you
can type eventvwr.msc.)
12. Confirm that the new user can view the events in the security log.
PANOS 3.0.0 14
� 13. Use View -> Find to search for login events (event ID 672 on Windows 2000/2003,
event ID 4624 on Windows 2008). You should see numerous events of that type.
14. (OPTIONAL) If you want to further restrict this account from being able to clear the
security log, refer to Microsoft KB 323076.
15. At this point, you can login to the server that is running the PAN User-ID agent, and
configure the PanAgent service to use the newly-created account.
PANOS 3.0.0 15
