PANOS4.0
NickPiagentini

Contents
PANOS4.0UserIDfunctions........................................................................................................................1
User/GroupEnumeration.......................................................................................................................1
1.

UsingADUserAgentforEnumeration.........................................................................................2

2.

UsingLDAPServersforEnumeration............................................................................................3

UsertoIPMapping...................................................................................................................................5
1.

ADUserAgent................................................................................................................................5

2.

LDAPUserAgent...........................................................................................................................7

3.

CaptivePortal................................................................................................................................8

4.

TerminalServerAgent................................................................................................................12

5.

PaloAltoNetworksclientsoftware............................................................................................12

PANOS4.0UserIDfunctions
UserIdentificationinPANOS4.0encompassestwoprimaryfunctions:
x
x

Enumerationofusersandtheirassociatedgroupmembership
MappingofthoseuserstotheircurrentIPaddresses.

Eachofthesefunctionscanbeperformedbydifferentmethods.Somemethodsareeffectiveinspecific
networkenvironmentsandsomeareapplicableinallenvironments..Bothcomponentswillbe
discussedinthisdocument.

User/GroupEnumeration
Beforeasecuritypolicycanbewrittenforgroupsofusers,therelationshipsbetweentheusersandthe
groupstheyaremembersofmustbeestablished.ThisinformationisretrievedfromanLDAPdirectory,
suchasActiveDirectoryoreDirectory.Thefirewalloranagentwillaccessthedirectoryandsearchfor
groupobjects.Eachgroupobjectwillcontainalistofuserobjectsthataremembers.Thislistwillbe
evaluatedandwillbecomethelistofusersandgroupsavailableinsecuritypolicyandauthentication
profiles.Therearetwomethodsforretrievingthisdata:
1. useanagentthattalkstoActivedirectory,or
2. useanagentthattalkstoLDAPservers.
Bothofthesemethodsarediscussedbelow.


PaloAltoNetworks


PANOS4.0

1

1. UsingADUserAgentforEnumeration
Operation:
ThisagentisinstalledasawindowsserviceonaWindowsserverthatisamemberofthedomaintobe
polled.ItisconfiguredwithalistofDomainControllersinasingleWindowsDomain,andwillaccessthe
firstDConthatlistforuserandgroupinformation.Ifthefirst
DCisnotavailablewhenitdoesgroupenumeration,the
agentwillcontinuedownthelistuntilitlocatesaDCthatis
available.
TheagentwillaccessthedomaincontrollerusingMicrosoft
RPCandwillreadallofthesecuritygroupsinthedomain.
Sincetheagentisonlyconfiguredtomapusersfromasingle
domain,anyaccountsfromotherdomainswillbeignored.
Forthisreasonitisabestpracticetobuildsecuritypolicy
usingDomainGlobalgroups,astheywillonlycontainusers
fromasingledomainandwillbecorrectlyrepresentedbytheADuserAgent.
Aftertheagenthasparsedthedomainforgroupsandusers,itcanapplyagroupfiltertosendonly
selectgroupstothefirewall.Itisstronglyrecommendedthatyouconfigureagroupfilter.Byeliminating
unneededgroupsfromthelistthatissenttothefirewall,overallprocessingonthefirewalls
ManagementPlaneisreduced,andthegroupselectioninterfaceintheUIismoresuccinct/user
friendly.
Aftertheinitialgroupmembershipisobtained,theagentwillchecktoseeifgroupmembershiphas
changedeverysooften,baseduponaconfigurabletimer(calledUserMembershipTimer).Theagent
willupdatethefirewallwithonlythegroupsthathavechangedmembership.Ifnochangestogroup
membershipisdetectedtherewillbenodatasenttothefirewall.
Asingleagentcanonlymonitordomaincontrollersfromasingledomain.Theagentcanmonitorupto
100individualDCsfromthatsingledomain.Inamultidomainenvironmenttherewillneedtobe
multipleagentsdeployed,sothatgroupinformationcanberetrievedfromallthedomains.
Foreachdomain,thefirewall(orVirtualSystemifthefirewallisoperatinginthatmode)willselecta
singleagenttogathergroupdatafrom.Bydefaultitwillbethefirstagentconfigured,butifthatagentis
notavailablethefirewallwilltryotheragentsinthelist.Todeterminetheagentbeingusedbythe
firewallforgroupmembershipthe>showuserpanagentstatisticscommandcanbeused.Theagent
withthe*beforethewordconnectedistheonebeingusedforallgroupmembership,asseeninthe
screenshotbelow:


PaloAltoNetworks


PANOS4.0

2

BestPracticesforADUserAgent
1.) ConfigurewellconnectedDomainControllersonthetopofthelistintheagentandfirewall
configuration.
2.) Filterthelistofgroupsthatissenttothefirewalltoincludeonlythegroupsthatwillbeusedin
firewallpolicy.Ifyouwanttomakesurethatallusersaretracked,includethegroupDomain
Users.
3.) OnlyuseDomainGlobalgroupsinfirewallpolicywhenoperatinginamultidomain
environment.NotethatthisisnotinlinewithtraditionalMicrosoftADpractice,whereDomain
Localgroupsareusedtocontrolrightsandaccess.
4.) Ifsomeagentsarelocatedacrosssloworheavilyimpactedlinksitmaybebesttoconfigureonly
thewellconnectedagentsfirstandrunacommit.Thiswillgettheinitialusersandgroupson
thefirewallandinsurethatfutureupdatesarejustdeltas.
2. UsingLDAPServersforEnumeration
Operation:
ThePaloAltoNetworksnextgenerationfirewallcangatheruserandgroupinformationfromanLDAP
directorywithouttheuseofanagent.ThismethodcanbeusedtoenumerateActiveDirectoryorany
otherLDAPenvironment.ThefirewallwillperformalloftheLDAPconnectionsandnoagentisrequired
forthisfunction.
ThefirewalldefinesanumberofLDAPServersundertheUserIdentificationnode.EachLDAPServer
instancerepresentsabindtoaspecificpartofanLDAPtree.Itwillenumeratealloftheuserandgroup
objectsatthatpointandbelow.FilterscanbedefinedinthisconfigurationusingstandardLDAPsyntax
tolimittheusersandgroupsreturned.IfthismethodistobeusedtoenumerateusersfromActive
Directory,therewillneedtobeaLDAPServerconfiguredforeachdomain.GlobalCatalogscannotbe
usedforuserandgroupenumerationacrossADdomains.OnlyLDAPobjectsthatuseafieldtolist
membershipcanbeusedasgroupsonthefirewall.PANOSdoesnotsupporttheuseofcontainerobjects
suchas
Organizational
Units(OU)as
security
principalsin
firewallpolicy.
Access
credentialstothe
LDAPtreeis
specifiedina
LDAP
Authentication
serverobjectthat
isreferencedby
PaloAltoNetworks


PANOS4.0

3

theLDAPServerobject.TheAuthenticationServerobjectalsospecifieswhichdirectoryserverswillbe
contacted,theordertheywillbecontactedinandwhenthefirewallwilltrythenextoneonthelist.
ConfigurationoftheLDAPServerobjectrequiresknowledgeoftheLDAPstructureinuse,suchastypes
ofobjectsusedasgroupsandusers.ForexampleinastandardActiveDirectorydeploymenttheusers
areobjectsobjectclass=UserandaremostcommonlyreferredtobyeithertheSAMAccountName

(jdoe)orUserPrincipalName(jdoe@corp.local)fields.Thegroupsobjectclass=grouparereferredto
bytheCNfieldandstorealistofusersinamembersfield.Thislevelofinformationisrequiredto
configuretheLDAPServer.ThefollowingisanexampleofLDAPserverconfigurationtoenumerateusers
fromallDomainGlobalsecuritygroupsonanActiveDirectorydomain.


ForinteroperabilitybetweentheLDAPserverandtheADAgent,adomaincanbespecifiedintheserver
configuration.Thisdomainwillbeaddedasaprefixtoanyuseraccountslearnedbytheagent.By
synchronizingthisvaluewiththeNETBIOSnameoftheADdomaininuse,wecanmapusers
authenticatedbyNTLMtousersenumeratedbyLDAP.
BestPracticesusingLDAPServers
1.) IftheunderlyingdirectoryisActiveDirectory,makesuretheDomainfieldoftheLDAPServer
matchestheNETBIOSnameofthedomain.
2.) UseofanLDAPbrowsercanbeextremelyhelpfulifworkingwithanongenericLDAP
deployment.
3.) Usegroupfilterstominimizethenumberofgroupsreturned.Forexample(grouptype=*46)
willreturnonlyDomainGlobalsecuritygroups.


PaloAltoNetworks


PANOS4.0

4

UsertoIPMapping
TheprocessofmappinguserstoIPaddressesisthemorecomplexofthetwoUserIDtasks.PANOS4.0
providesmultiplemethodstomapuserstoIPaddresses.Somemethodsrequirespecificdirectory
structurestobeinplace.Somemethodsrequiresoftwareagentsorclientstobeinstalled.Ifanyofthe
methodsmapausertoanIPaddress,thatdatacanbeusedbythefirewallinbothpolicyandreporting.
Userdataiswrittentoallappropriatelogswhenthelogsaregenerated.Themethodsmappingusersto
IPare:
1.)
2.)
3.)
4.)
5.)

ADUserAgent
LDAPUserAgent
CaptivePortal
TerminalServicesAgent
PaloAltoNetworksclientsoftware(SSLVPN,GlobalProtect)

Eachoftheseisdescribedbelow.
1. ADUserAgent
TheADUserAgentperformsboththeenumerationandmappingtasks.Eventhoughtthetwoprocesses
areseparate,theagentcannotbeconfiguredtoperformonlyoneortheother.InActiveDirectory
environments,theADAgentisveryusefulformappingusersandasaresultisalsocommonlyusedto
enumerateusersaswell.Theagentcanmapusersbymonitoringeventsinthesecuritylogandby
queryingendpoints.Thesemappingscanbereconfirmedbymonitoringuserconnectionstothe
domaincontrollerduringthecourseofwork.Thefirewall
SecurityLogReading
TheADAgentwillconnecttoeachdomaincontrollerinitslistandmonitorthesecuritylog.Ontheinitial
connectiontheagentwillreadthelast50,000logentries.Aftertheinitialconnection,theagentwill
thenmonitorallnewevents.TheADAgentlooksforanyofthefollowingMicrosofteventIDs:
OnWindows2003DCs:
o 672(AuthenticationTicketGranted,whichoccursonthelogonmoment),
o 673(ServiceTicketGranted)
o 674(TicketGrantedRenewedwhichmayhappenseveraltimesduringthelogonsession)

OnWindows2008DCs:
o 4768(AuthenticationTicketGranted)
o 4769(ServiceTicketGranted)
o 4770(TicketGrantedRenewed)

TheseeventswillcontainauserandIPaddress.Theusersdomainwillbecomparedtothedomainthat
theagenthasbeenconfiguredtomonitor.Usersfromdomainsotherthanthemonitoreddomainwillbe
ignored.AlsomonitoredwillbetheIPrangesoftheusers;onlyAllowedIPranges(asconfiguredonthe
PaloAltoNetworks


PANOS4.0

5

ADagent)willberecorded.OncetheusernametoIPmappingtableiscreated,theagentwillsendthis
datatothefirewall.Thedefaulttimingforcheckingnewlogeventsiseverysecond,butthistimeris
configurable.NotethattheseeventswillonlybepresentinthesecuritylogiftheADdomainis
configuredtologsuccessfulAccountLogonevents.
SecuritylogreadingislowoverheadfortheDomainControllerandahighlyeffectivemethodofmapping
usersinaMicrosoftenvironment.Themappingswillbemaintainedforaconfigurabletimeout,whichis
recommendedtobesettohalftheDHCPleasetimeusedintheenvironment.ClientsystemsinanAD
domainusingthedefaultconfigurationwillattempttorenewtheirticketsevery10hours.
WMI/NetBIOSProbes
Wherethelogreadingiseffectivelyapassivemethodofusermapping,probingisanactivemethod.On
aconfigurableinterval,theADAgentwillsendaprobetoeachlearnedIPaddressinitslisttoverifythat
thesameuserisstillloggedin.Theresultsoftheprobecanbeusedtoupdatetherecordontheagent
andthenbepassedontothefirewall.EachlearnedIPwillbeprobedoneperintervalperiod.Care
shouldbetakentomakesurethatlargeenvironmentshavealongenoughintervalforallIPstobe
probed.Forexampleinanetworkwith6,000usersandanintervalof10minutes,thatwouldrequire10
WMIrequestsasecondfromeachagent.Theseprobesarequeuedandprocessedbytheagentas
needed.
Inaddition,whenthefirewallreceivestrafficonaninterfaceinazonewithUserIdentificationenabled
thatisfromanIPaddressthathasnouserdataassociatedwithit,thefirewallwillsendtheIPtoallthe
ADgentsconfiguredandaskthemtoprobeittodeterminetheuser.Thisrequestwillbeaddedtothe
queuealongwiththeknownIPaddresseswaitingtobepolled.IftheAgentisabletodeterminetheuser
attheIPbasedontheprobetheinformationwillbesentbacktothefirewall.
IftheWMIorNetBIOSprobefailstheIPaddresswillnotbeprobedagainuntilthefirewallseesmore
trafficfromit.
NetBIOSprobeshavenoauthenticationanddonotrequireanyspecificgroupmembershipoftheAgent
account.AdrawbacktoNetBIOSisthatitisnotveryreliableacrosslargernetworks;itiscommonly
blockedbyhostbasedfirewallsandwillnotworkforcertainmodernoperatingsystems.(Anythingwith
NetBIOSoverTCPdisabled)
WMIqueriesarefarmorereliableandaresecuredbyeitherNTLMorKerberosbasedauthentication.To
performthesequeriessuccessfullytheagentaccountneedstherightstoreadtheCIMV2namespaceon
theclientsystems.BydefaultonDomainAdministratorshavethisright.TheunderlyingWMIquerythat
issentcanbesimulatedwiththefollowingcommand,whereremotecomputerwouldbetheIPaddress
ofthesystembeingprobed:

wmic /node:remotecomputer computersystem get username



PaloAltoNetworks


PANOS4.0

6

OpenServerSessions
AnyconnectionstoafileorprintserviceontheDomainControllerwillalsobereadbytheagent.Ifthe
user/IPcombinationforthesessiondoesnotmatchthecombinationthattheAgentlastlearnedthe
mappingwillberemovedandtheuserattheIPaddresswillbecomeunknown.Theagentwillnot
updateuserdataasaresultofinformationlearnedfromtheopenserversessions.Iftheopensession
confirmstheuserattheIPaddressthenthatmappingwillhaveitslifetimerenewed.
InthenormaloperationsofanADdomain,usersonWindowssystemswillconnecttothesysvolshare
onthedomaincontrollertocheckfornewGroupPolicyObjects.Thedefaulttimingforthisis90minutes
witha+/30minuteoffset.Forusersconnectedtothenetworkduringaregularworkdaythisprocess
willinsurethattheyremainmappedthroughouttheday.
AgentandFirewallCommunication
SettingsontheAgentcontrolhowoftentheagentcommunicateswiththeDomainControllersandhosts
onthenetwork(forpolling).Thefirewallhasspecific,nonconfigurabletimersforitscommunicationto
theagent.
x
x
x
x
x

2seconds:GetlistofnewIP/usermappingfromagent.Thisisadeltaofnewmappingonly.
2seconds:SendlistofunknownIPaddressesthatwereencounteredintraffictotheagent.
5seconds:Getagentstatus.Thisisaheartbeatusestodeterminethestatusofeachconfigured
agent.
10minutes:Getgroupmembershipchangesfromagent.Thisisjustthedeltaofchangessince
thelastcheck.
1hour:GetfulllistofIP/usermappingsfromagent

BestPracticesforADAgent:
1) SettheageouttimerfortheagenttoavalueclosetohalftheDHCPleasetime.
2) UseWMIoverNetBIOSifpossible.
3) Makesuretoplantheintervalforprobingbasedonthetotalnumberofusersinthe
environment.
2. LDAPUserAgent
TheLDAPagentprovidestwoveryspecificfunctions.OneistoaccessaneDirectorytreeandreadthe
loggedinIPforeachuser.WhentheuserlogsintoeDirectory,theIPaddressoftheendpointisstored
inthedirectoryasafieldintheuserobject.ThisservesasimilarfunctionastheADAgentslogscraping
andonlyworkswitheDirectory.
ThesecondfunctionoftheLDAPagentistoreceiveXMLuserinformationfromexternalsources.This
informationcanbothaddandremoveuserIPmappings.SomeexamplesoftheAPIare:
1) VisualBasicbasedloginandlogoutscriptsthataddandremovetheuserandalltheIP
addressesoftheendstation.
2) PerlbasedscriptsforMacbasedsystemstoregisterusersonlogin.
3) ModulesforNACappliancesthatpassonuserandIPinformationtothefirewall.
PaloAltoNetworks


PANOS4.0

7

TheAPIpassesthedataoverSSLusingasimpleXLMformatasfollows:


3. CaptivePortal
CaptivePortalisanidentificationmethodthatisnotinvokedunlessthereisnouserinformationfor
HTTPbasedtrafficthatthefirewallencounters.Ifauserhasbeenmappedbyoneoftheotherpossible
methods,captiveportalwillnotbetriggered.Captiveportalistraditionallyusedtoidentifyusersthat
haveslippedthroughtheothermethodsorforenvironmentswheretheothermethodsarenot
appropriate.Captiveportalwillonlybetriggeredbyasessionthatmatchesthefollowingcriteria:
1) ThereisnouserdataforthesourceIPofthesession
2) ThesessionisHTTPtraffic
3) ThesessionmatchesaCaptivePortalpolicyonthefirewall
Whencaptiveportalistriggeredthebrowsersessionisinterruptedbythefirewallandusercredentials
arerequested.OncetheuserisidentifiedtheywillremainmappeduntileitheranIdleorhardtimeout
isreached.Atthatpointtheusermappingisremovedandcaptiveportalmaybetriggeredagain.
ForfirewallsdeployedinL2orVirtualWiremodecaptiveportalmustbeconfiguredtransparently.In
thisconfigurationthefirewallwillspoofthedestinationaddressforuseinauthentication.Thiscan
generatecertificateerrorsiftheoriginalcommunicationwasoverSSL.Amoreflexiblemethodisa
redirectcaptiveportal,wherethefirewallusesa302HTTPerrorcodetoredirecttheusertoaL3
interfaceownedbythefirewall.WhenusingredirectcaptiveportalaspecificSSLcertificatecanbe
installedfortheportaltomitigateanycertificatewarnings.Inadditionredirectcaptiveportalcanuse
cookiestomarkthesession.Thiswillallowthesessiontoremainmappedevenafterthetimeoutshave
expired.FinallyredirectcaptiveportalwithcookiescansupportauserthatroamsfromoneIPaddress
toanotherwhilekeepingthesessionopen.Whenpossible,captiveportalshouldalwaysbedeployedin
redirectmode.

PaloAltoNetworks


PANOS4.0

8

Therearethreemethodsforthefirewalltoextractuserdatafromthebrowser:
1.) NTLMAuthentication
2.) WebFormCaptivePortal
3.) CertificatebasedAuthentication
NTLMAuthentication
MicrosoftclientscanparticipateinaNTLMchallengeandresponseexchangethatconsistsof3
messages.Thebrowserwillusethecredentialsofthecurrentlysignedinuser.InternetExplorerwilldo
thisbedefault,andFirefoxcanbeconfiguredtodothisforspecificURIs.(Intheabout:configsetthe
network.automaticntlmauth.trustedurisvaletothecaptiveportalURI)Thisauthenticationis
transparenttotheuser.TheusernamecapturedfromthismethodistheNetBIOSnameintheformof
DOMAIN\USER,itwillbemappedtotheappropriateuserIDiftheADAgentisinuse,oriftheLDAP
ServerconfiguredtoreadtheADdomainhasthecorrectvalueinthedomainfield.Ifthebrowseror
operatingsystemdoesnotsupportNTLMauthentication,thefirewallwillfallbacktothenextformof
CaptivePortal.WhenconfiguringNTLMbasedauthenticationforCaptivePortalahostnamemustbe
provided.ForNTLMtowork,thishostnamemustnotbefullyqualified.Forexample,iftheDNSnameof
theportalisportal1.company.com,andcompany.comisintheuserssearchsuffix,thecorrectvalefor
theNTLMhostwouldbeportal1.
ThefollowingdiagramshowsNTLMbasedCaptivePortalflowusingaredirect.Inthecaseofa
transparentmodeCaptivePortaltherewouldbenosteps2or5.Insteadthefirewallwouldspoofthe

PaloAltoNetworks


PANOS4.0

9

destinationaddressandprovidethe401errorcodeasifthetargetserverhadsentit.


WebFormCaptivePortal
Thismethoddisplaysawebpagewithfieldsforusernameandpassword.Thebackendauthentication
canbeRADIUS,LDAP,localdatabaseornativeKerberos.Whilethisisthemostdisruptiveuser
identificationmethoditisalsothemethodthatwillworkwithanykindofbrowseroroperatingsystem.
Assuchitisanexcellentmethodoflastresort.ThefollowingdiagramshowswebformbasedCaptive

PaloAltoNetworks


PANOS4.0

10

Portalflowusingaredirect.


CertificatebasedAuthentication
Ausercertificatecanalsobeusedbythecaptiveportaltoidentifytheuser.Certificatebasedauth
requiresthattrustedCAcertsareloadedonthefirewallandprovisionedforuserauthentication.When
theuserfirstencounterscaptiveportaltheywillbepromptedforthecertificatetopassontotheserver.
Ifnootherauthenticationprofilesareconfiguredforthecaptiveportalallfurtherinteractionbetween
thebrowserandtheportalshouldbetransparenttotheuser.Thisiscurrentlytheonlywaytoachieve
fullytransparentauthenticationforLinuxandMacclientsusingcaptiveportal.
BestPracticesforConfiguringCaptivePortal:
1.) Configurecaptiveportalinredirectmodewhenpossible.Asingleinterfacecanbeconfiguredfor
L3operationstohosttheportalfordeploymentsusingL2orvirtualwire.
2.) IfusingRADIUSinsuretheproperdefaultdomainisconfiguredforusers.Ifnodomainis
providedduringtheloginthedefaultdomainwillbeassumed.
3.) KerberosauthenticationrequirelessconfigurationforADenvironmentsthenLDAPandshould
beusedinthesecases.


PaloAltoNetworks


PANOS4.0

11

4. TerminalServerAgent
TheMSTerminalServeragentisawindowsservicethatisinstalledonaMicrosoftterminalserveror
Citrixserver.Thejobofthisagentittointermediatetheassignmentofsourceportstothevarioususer
processes.Thissourceportinformationispassedontothefirewallandausertableiscreatedincluding
theusername,IPaddressoftheterminalserverandsourceportsoftheusers.Thisinsuresthateach
sessionfromtheterminalserveriscorrectlymappedtotheuserthatinitiatedit.Nootherusermapping
featuresarerequiredfortheseclients,althoughenumerationandgroupmappingstillneedtotake
place.
5. PaloAltoNetworksclientsoftware
IftheendpointisrunningoneofthePaloAltoNetworksclientsoftwarepackagesuseridentificationwill
beprovidedbythatsoftware.Therearecurrently2softwarepackagesthatcanrunontheendpoint.
NetConnectSSLVPNandGlobalProtect.Bothofthesepackageswillprovideuserinformationtothe
firewalltheyareconnectedto.NoothermethodwouldberequiredtomaptheuserstotheirIP
addresses,thoughtherewouldstillneedtobesomethinginplacetoenumeratetheusersandtheir
groupmembership.





PaloAltoNetworks


PANOS4.0

12