User-ID seamlessly integrates Palo Alto Networks next-generation firewalls with a wide range of user repositories and terminal services environments. Depending on the network environment, multiple techniques can be configured to map the user identity to an IP address. Events include authentication events, user authentication, terminal services monitoring, client probing, directory services integration and a powerful XML API. Once the applications and users are identified, full visibility and control within ACC, policy editing, logging and reporting is available.
Authentication events to capture user identity.
User-ID can be configured to monitor authentication events for Microsoft Active Directory, Microsoft Exchange and Novell eDirectory environments. Monitoring of the authentication events on a network allows User-ID to associate a user with the IP address of the device the user logs in from to enforce policy on the firewall.
- Microsoft Exchange Server: User-ID can be configured to constantly monitor the Microsoft Exchange logon events produced by clients accessing their email. Using this technique, even MAC OS X, Apple iOS, Linux/UNIX client systems that don't directly authenticate to Microsoft Active Directory can be discovered and identified.
- Novell eDirectory: User-ID can query and monitor logon information to identify users and group memberships via standard LDAP queries on the Novell eDirectory servers.
- Microsoft Active Directory: User-ID constantly monitors domain controller event logs to identify users when they log onto the domain. When a user logs onto the Windows domain, a new authentication event is recorded on the corresponding Windows Domain Controller. By remotely monitoring the authentication events on Windows Domain Controllers, User-ID can recognize those authentication events to identify users on the network for creation and enforcement of policy.
Directory integration to capture group membership information
To allow customers to specify security rules based on user groups and resolve the group members automatically, User-ID integrates with nearly every directory server including Microsoft Active Directory, using a standards based LDAP protocol and a flexible configuration. Once configured, the firewall automatically retrieves user and user group information and keeps the information updated to automatically adjust to changes in the user base or organization.
User authentication events captures non-Windows domain users.
This technique allows organizations to configure a challenge-response authentication sequence to collect user and IP address information.
- Captive portal: In cases where administrators need to establish rules under which users are required to authenticate to the firewall prior to accessing the internet, a captive portal can be deployed. Captive portal is used in cases where the user cannot be identified using other mechanisms. In addition to an explicit username and password prompt, captive portal can also be configured to send an NTLM authentication request to the web browser in order to make the authentication process transparent to the user.
- GlobalProtect: Remote users logging into the network with GlobalProtect will provide user and host information to the firewall that in turn, can be used for policy control.
Terminal services integration.
In environments were the user identity is obfuscated by Citrix XenApp or Microsoft terminal Services, the User-ID Terminal Services Agent can be deployed to determine which applications users are accessing. Users sharing IP addresses working on Microsoft Windows Terminal Services or Citrix can be identified. Completely transparent to the user, every user session is assigned a certain port range on the server, which allows the firewall to associate network connections with users and groups sharing one host on the network.
Client and host probing catures Windows user information.
These techniques allow organizations to configure User-ID to monitor Windows clients or hosts to collect the indentiy and map it to the IP address.
- Client probing: If a user cannot be identified via monitoring authentication events, User-ID actively probes Microsoft Windows clients on the network for information on the currently logged on user. Using this mechanism, laptop users who often switch from wired to wireless networks can be reliably identified.
- Host probing: User-ID can also be configured to probe Microsoft Windows servers for active network sessions of a user. As soon as a user accesses a network share on the server, User-ID identifies the origin IP address and maps it to the user name provided to establish the session.
XML API integrates with other, non-standard repositories.
In some cases, organizations may already have a user repository or an application that is used to store information on users and their current IP address. In these scenarios, the XML API within User-ID enables rapid integration of user information with security policies. Examples of how the XML API can be used to collect user and IP address information are described below.
- Wireless environments: Customers using 802.1x to secure corporate wireless networks can leverage a syslog based integration with the Palo Alto Networks User-ID XML API, to identify users as they authenticate to the wireless infrastructure.
- Proxies: Similarly, authentication prompted by a proxy server can be provided to Palo Alto Networks User-ID via its XML API by parsing the authentication log file for user and IP address information.
- Network Access Control (NAC): The XML API allows customers to harvest user information from NAC environments. As an example, Bradford Networks, a NAC solution provider uses the User-ID XML API to populate user logons and logoffs of its 802.1x solution. This integration allows joint customers to identify users as soon as they connect to the network and set user-based enablement policies.