How to Install the Palo Alto Networks User-ID Agent

Before installing User-ID, run through the following checklist:

1. Determine the machine the user-agent will be installed on.
   1. Windows XP, Windows 7, Windows 8 or Windows Server 2003/2008/2012.
   2. Network connectivity to the DCs and to the management port of the firewall.
   3. Be a member of the domain.
2. Determine which user account can be used by the user-agent to query the domain. This account needs the user right to read the security logs on the domain controllers. The domain admins group has this right, but a new group can be created in AD that has this right added to basic user rights.
3. Determine which domain (with corresponding domain controllers) the user-agent will be querying. One user-agent is required for each domain and can handle a maximum of 512k users in a domain.  From PAN-OS 8.1 we support half a million machine mappings as well.  When the limit is reached, the least recently used entry is removed (LRU cache).

Steps

Installing and Configuring the User-ID Agent

1. Select a PC in the domain to install the user-agent software.
2. Download and install the latest version of user-agent from https://support.paloaltonetworks.com
3. Configure the user-agent server to run under a different account than the local system, which is selected by default.  This user account must have access to read security logs and netbios probing of other machines.  To get to the service: admin tools > service > pan agent > log on > switch from local user to this account, then select the user that will be used for this service.
4. Restart PAN agent service.
5. Start user-agent GUI, Start > Programs > Palo Alto Networks > User Identification Agent in the top right corner, then click Configure.
6. Fill in the following information:
   1. Domain name - FQDN of the domain, for example, acme.com.
   2. Port number of your choosing - any port number not currently used on this machine. Make sure the local machine does not have any firewall that is blocking inbound connections to that port.
   3. Domain controllers ip address - add all the DCs in the domain. Users can be authenticated with any DC in the domain, so you can enter up to 10 IP addresses.
   4. Allow list - subnets that contain users to track.
   5. Ignore list - IP address of the terminal server, any other machines that could potentially have multiple users logged in simultaneously.
   6. If netbios is not allowed on the network, disable netbios probing.  For more accurate IP to user mapping support, disable netbios probing.
7. Click OK.
8. You can monitor the agent status window in the top left corner, which should display no errors. Other messages:
   1. Connection failed.
   2. Please start the PAN agent service first.
   3. Reading domain name\enterprise admins membership.
   4. No errors.
   5. To confirm that the server running the user-agent is listening on the port configured in Step 8, run the following command on the PC:

      netstat -an | find "xxxx"

Configuring the firewall to communicate with the User-ID Agent

1. Log into the Palo Alto Networks firewall and go to Device > User Identification.
2. Configure Name, Host (IP address) and Port of the User-ID Agent.
3. Enable user identification on each zone to be monitored.  On the Network > Zone page, edit the appropriate zones. In the bottom left corner of the Zone properties page, check the box to Enable user identification.
4. Commit the changes.
5. To confirm connectivity, run this command via CLI of APN firewall: show pan-agent statistics  which should return state connected, ok.
6. To view currently logged in users, run: debug dataplane show user all

Testing

To make sure everything is working, create a new security rule.  You should be able to select users or groups.

owner: jnguyen