Palo Alto

Plao Alto LDAP Integration (Agentless User-ID)

Active Directory Integration
In earlier Blog Palo Alto to Internet we configure how to Allow users to go to the Internet. Now Active directory allow me to control who can have an access to internet Per User and also monitor exactly whom watching who and this is the configuration

Let’s start by Microsoft Side
lets start by creating a user in the Active Directory for the mapping integration
go to Tools – Active Directory Users and Computers
9
Go to the user container and right click New – User10
i created a user aysar.mohamed@ccieroot.com
11
put the password and since this is an integration user no need to change the password and to never expire
12
Click Finish
13
go to the user settings
14
go to the member tab
the user should be Member of :
(Distribute COM User, Event Log Readers, Server Operation)
15
Add those Group
16
Press OK
17
Second we need to check if the Domain configure to log successful logon
Open Group Policy Management
3
Then select Domains – ccieroot.com – Default Domain Policy – edit
4
go to Computer COnfiguration – Windows Settings – Security Settings – Local Policies – Audit Policy
Select Audit Account logon events
5
Check box Define these Policy settings
Success & Failure
6
Now it’s about time to update the policy
Go to cmd and update the policy using the command (gpupdate)7
then do the WMI Authetication part
go to cmd and input the command (wmimgmt.msc)
18
Right Click and select properties
19
go to Security Tab – Root – CIMV2 and click on Security button
20
click on Add to add the user (aysar.mohamed) that i created earlier
21

22
and give him permission:
Enable Account
Remote Enable
23

Now The Palo Alto Side
1st check the Internal Zone to have User-ID Enabled
90
Second make sure the interface the connect to the LAN have the user-id enabled under the management Interface
go to Network – Interface – Lan Interface – go to Advanced tab
9
Select the management profile and create one that have user-id enabled10
2nd Go to Device – User Identification – Palo Alto Network user-ID Agent Setup – Click on settings button on the corner
in WMI Authentication i will use the username and password i created3
Then Enable the Server Monitoring
5
Optionally if you enable the NTLM is to discover domain you have to enable DNS configuration under
service – DNS – internal primary dns server
Also Enable the Client Probing and press ok
client probing is useful in huge environment because change will reflect on firewall immediately
every 20 minute
6
After That i will add my Active directory Under the server Monitoring
4
Then the Domain Controllers will show with a status of Connected.

First go to Device – Server Profiles – LDAP – add
Base DN: auto generate
Bind DN : (this account must be a member of the built-in Server Operators group in AD)
Also uncheck the box Require SSL/TLS secured connection
1
Then we need to create an Authentication Profile
Login Attribute: sAMAccountName
2
then Select Advanced tab and in the Allow list  select to add (All)3
Like that we done from Active Directory Integration

Now we create our group mappings so we can use these Active Directory groups in our security policies.
navigating to the Group Mapping Settings tab – Add new
5
then go to the group include list tab at the top. as long you see the OU in your AD then it mean you can see everything correctly
6
Just for testing i Add the IT Staff7
Now on our Internet Rule Select under User tab and Add my user or group8
now as you can see under the Monitoring Tab i see my Username when i Access any website9

;D

Note:
Because WMI probing trusts data that is reported back from an endpoint, Palo Alto Network recommends that you do not use this method to obtain User-ID mapping information in a high-security network. If you configure the User-ID agent to obtain mapping information by parsing Active Directory (AD) security event logs or syslog messages, or using the XML API, Palo Alto Networks recommends you disable WMI probing.
If you do use WMI probing, do not enable it on external, untrusted interfaces.

Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s