SlideShare una empresa de Scribd logo

User id installation and configuration

Alberto Rivai
Alberto Rivai

This document provides instructions for configuring User-ID on a Palo Alto Networks firewall to map users to IP addresses and enumerate users and groups from an Active Directory server. It discusses using the User-ID agent and agentless methods. For agent-based mapping, it describes installing the agent, configuring permissions, and adding the agent to the firewall. For agentless mapping, it covers configuring the firewall and a service account. It also provides information on integrating User-ID with Microsoft NPS and DHCP through a script to automatically map authenticated wireless users.

Tecnología
1 de 25
Descargar para leer sin conexión
The “almost” complete guide of User-ID installation and configuration Alberto Rivai
Contents 1. IP – User Mapping ........................................................................................................................... 3 a. IP - User Mapping ( with UID Agent ) .......................................................................................... 3 Create service account, configure account permission and install UID agent ............................... 3 Configure User-ID agent in the firewall .......................................................................................... 7 b. IP – User Mapping ( Agentless ) .................................................................................................. 8 Create service account and configure account permission ............................................................ 8 Configure UID in the firewall......................................................................................................... 10 2. User enumeration ......................................................................................................................... 13 3. IP – User Mapping through User-ID API............................................................................................ 15 3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration ................................................ 15 Lab Diagram .................................................................................................................................. 16 Installation .................................................................................................................................... 16 UIDConfig.xml variables description ............................................................................................. 24 3.2 User-ID agentless API, Microsoft NPS, Microsoft DHCP integration .................................... 24
User Identification in PAN-OS 4.1 encompasses two primary functions: • • Mapping of those users to their current IP addresses Enumeration of users and their associated group membership. 1. IP – User Mapping a. IP - User Mapping ( with UID Agent ) The first section is to map users to their current IP addresses. This section uses UID agent to perform the function. Create service account, configure account permission and install UID agent 1. create service account ( example Labuid ) in the DC 2. Login to any computer that is a member of the domain, you do not need to install the UID agent in the AD server or Domain controller. 3. Login with an account that have local administrator permission 4. add Labuid to be a member of local Administrator group 5. download UID agent 6. run command prompt as administrator 7. install from command prompt 8. By default, the agent will be configured to log in as the user who installed the .msi file. In the screen shot that follows, you will see that the “Labuid” account that installed the agent is
now the agent service account. Use the “Edit” button on the configuration window to change the service account to a restricted user account if desired. 9. Allow the Agent account to log on the member server as a service. On the member server open the “Local Security Policy” mmc. 10. Under the “Local Policies” > “User Rights Assignments” add the service account to the “Log in as a Service” option 11. For Win2K8, Add the service account user to the “Event Log Reader” and “Server Operator” built in local security groups in the domain. 12. For Win2K3, the user right “Manage auditing and security log” must be given to that account. Edit the Default Domain Controller Security Policy, found under Programs -> Admin Tools. Drill down to Security Settings -> Local Policies -> User Rights Assignment. You will see the screen below.
In the right-hand pane, locate the user right “Manage auditing and security log”. Double click that entry. You will see that only Administrators have that user right. Click Add User or Group. Enter the username of the account you just created, and click on Check Names to confirm that account exists. The account name will become underlined.
13. Make sure that the service is running in Services window. 14. To check if you have configured the UID agent correctly, go to Start -> Palo Alto Networks -> User-ID Agent and open the UID agent GUI, go to Discovery Tab, you will see the Domain Controller listed. 15. To check if the UID agent successfully reads the event viewer and discovers the username go to Monitoring tab.
16. Next step is adding the UID agent in the firewall. Configure User-ID agent in the firewall 17. Login to the firewall 18. Go to Device tab 19. Then User Identification node, click User-ID Agents sub-tab 20. Click Add, and then enter the name, IP address and port (default 5007). Click OK then hit commit. 21. You will see the green button when the UID agent successfully connected to the firewall.
22. To verify that the firewall receive the User-IP mapping, ssh to the firewall and execute the below command admin@PA-200> show user ip-user-mapping all b. IP – User Mapping ( Agentless ) The IP – User Mapping function that was performed by the User-ID agent, can be replaced by an agentless User-ID. Agentless User-ID allow server to be run from the PAN device. The login which works on the User-ID agent - most likely will not work on the Agentless. (Additional permission are needed) Create service account and configure account permission 1. Create the service account in AD. This is utilized on the device. Be sure the user is part of the Distributed COM Users, Server Operators and Event Log Readers groups.
2. 3. 4. Device uses WMI Authentication. you must modify the CIMV2 security properties on the AD server the device connects to. Run wmimgmt.msc (on the domain controller server) on the command prompt to open the console and select properties as shown below. Select the Security tab of the WMI Control Properties and drill down to the CIMV2 folder. Select this folder and click the Security button. Add the service account from step 1. In this case, it's panrunner@nike.local. For this account, check off both Enable Account and Remote Enable.
5. After you’ve completed the permission setting for UID account , you need to setup the UID configuration in the firewall. Configure UID in the firewall 6. Login to the firewall GUI 7. Go to Device tab -> User Identification select User Mapping sub-tab 8. Under Server Monitoring, click Add and add IP address of the server to be monitored.
9. Click Edit on the Palo Alto Networks User ID Agent Setup 10. Be sure to configure with domainusername format for username under WMI Authentication tab along with valid credentials for that user. 11. 12. 13. 14. Enable Server Monitor options (enable security log/enable session) accordingly. Client probing is enabled by default so disable if desired. Click Commit Confirm connectivity via GUI and/or CLI as shown below.
15. Confirm ip-user-mapping is working as shown below.
2. User enumeration The second section is to configure Enumeration of users and their associated group membership. Before a security policy can be written for groups of users, the relationships between the users and the groups they are members of must be established. This information is retrieved from an LDAP directory, such as Active Directory or eDirectory. The firewall or an agent will access the directory and search for group objects. Each group object will contain a list of user objects that are members. This list will be evaluated and will become the list of users and groups available in security policy and authentication profiles. The only method of retrieving this data if through LDAP queries from the firewall. An agent system can be configured to proxy the firewall LDAP queries if the topology requires that. 1. Login to the firewall through GUI 2. Go to Device tab then Server Profile -> LDAP then click Add 3. List the directory servers that you want the firewall to use in the server list. You need to provide at least one server; two or more are recommended for failover purposes. The standard LDAP port for this configuration is 389. 4. Enter the name of the domain in the “Domain” field. The domain name should be a Netbios name 5. Select a directory “Type”. Based on the selected directory type, the firewall can populate default values for attributes and objectclasses used for user and group objects in the directory server. 6. Enter the base of the LDAP directory in the “Base” field. For example, if your Active Directory Domain is “acme.local”, your base would be “dc=acme,dc=local”, unless you want to leverage an Active Directory Global Catalog. 7. Enter a user name for a user with sufficient permission to read the LDAP tree. In an Active Directory environment, a valid username for this entry could be the “User Principal Name”, e.g. “administrator@acme.local” but also the users distinguished name, e.g. “cn=Administrator,cn=Users,dc=acme,dc=local”. 8. Enter and confirm the authentication password for the user account that you entered above. 9. In case you have difficulties identifying your directory base DN, you can simply follow these steps:
a. Open the Active Directory Users and Groups management console on your domain controller. b. Select “Advanced features” in the “View” menu of the management console. c. Select the top of your domain object and select “Properties”. d. Navigate to the “Attribute Editor” in the properties window and scroll to the “distinguishedName” attribute. e. Copy the content of this attribute into the LDAP Server configuration “Base” field in the firewall management UI. Group Mapping Settings After the LDAP server has been configured, you need to configure how groups and users are retrieved from the directory and which users groups are to be included in policies. In order to create a new group mapping entry, navigate to the “Device > User Identification” menu and create a new entry under the “Group Mapping Settings” tab. In this configuration, you specify which LDAP server profile is going to be used to identify users and groups. • Select the “LDAP Server Profile” you configured earlier in the “LDAP Server Profile” section in the drop-down list under “Server Profile”. All LDAP Attributes and ObjectClasses will be pre-populated based on the directory server type you selected in the “LDAP Server Profile”. Under normal circumstances, you should not have to modify any of these attributes. Please refer to the Palo Alto Networks Administrator’s Guide for customizations of these attributes. The default update interval for changes in user groups is 3600 seconds (1 hour). You can customize this value to a shorter period if needed.
Go to Group include list tab, leave this blank if you want to include ALL groups, or select the groups that you want to be mapped. 3. IP – User Mapping through User-ID API 3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration Pre-requisite - Microsoft 2008 Server 64 Bit Microsoft NPS Microsoft DHCP server Palo Alto Networks UID Agent - Scripts from https://github.com/cesanetwan/scripts/tree/master/paloalto - At least 1 Windows server running IAS/NPS - The server running the Palo-Alto User-ID Agent must have IP connectivity - The Palo-Alto User-ID Agent must have the User-ID XML API enabled - As a convention, the script should be stored in a DFS share for replication purposes ie %domainname%scripts - The script needs to be configured to trigger on a Windows Event 6272 - The User-ID timeout set in the Palo-Alto User ID Agent must be less than the session timeout on the wireless controller
- Task must be configured to run under the designated sync account for the content filter at sites - Said account must be granted log on as service, log on as batch job rights, in addition to full permissions to read, write and modify to the installation directory of the Palo-Alto User ID Agent, and additionally be a member of the "DHCP Users" builtin group in Active Directory - The ignore_user_list and UIDConfig.xml must be present in the installation directory of the Palo-Alto User ID Agent, and customised to the sites configuration as per the samples in this repository - The scheduled task should be configured to queue new instances should the task be running when a new instance is called, and modified to fit the template provided in this repository This integration script was provided and developed by the guys from Catholic Education SA, mainly Gareth Hill. Their link can be found https://github.com/cesanetwan/scripts/wiki/CEFilter-UIDRADIUS-script The CESA UID RADIUS script is a means of enumerating 802.1x authorised users to the PaloAlto Networks User-ID Agent such that the appropriate filtering policies are applied automatically, allowing for a seamless user-experience with Palo Alto Networks NGFW and User-ID. Lab Diagram Installation The below steps are to be used for the above sample diagram. Please change the variables according to the instruction at https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script 1. Copy the below file UIDRADIUSScript.vbs to C:WindowsSYSVOLdomainscripts ( note that this can be changed to any location )
UIDRADIUSScript.vb s 2. Copy the below file UIDConfig.xml to C:Program Files (x86)Palo Alto NetworksUser-ID Agent UIDConfig.xml 3. Create a scheduled task to trigger on Windows Event 6272
Click on Properties Check Run with Highest Privileges
Change to Queue a new instance
Right click on the event and click export task to XML Edit the tasks XML to reflect the example XML file below User-id.xml Importantly, the Triggers and the Exec sections <Triggers> <EventTrigger> <Enabled>true</Enabled>
<Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=6272]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription> <ValueQueries> <Value name="SubjectUserName">Event/EventData/Data[@Name='SubjectUserName']</Value> <Value name="CallingStationID">Event/EventData/Data[@Name='CallingStationID']</Value> </ValueQueries> </EventTrigger> </Triggers> Exec Section <Exec> <Command>C:WindowsSystem32cscript.exe</Command> <Arguments>C:WindowsSYSVOLdomainscriptsUIDRADIUSScript.vbs "$(SubjectUserName)" $(CallingStationID)</Arguments> </Exec> Then delete the original task and import the modified XML. Type in your username and password
Enable the task Test by authenticating user through 802.1x, you should then see 802.1x authenticated user appear in the User-ID agent monitoring tab. UIDConfig.xml variables description <?xml version="1.0" encoding="UTF-8"?> <user-id-script-config> <domain>LAB</domain> - the domain of the site in question <LogFormat>DHCP</LogFormat> - The log format - valid values are NPS, IAS and DHCP, for the various methods of processing this information, in this example we’re using DHCP <AgentServer>192.168.6.3</AgentServer> - server the UID agent is installed on <AgentPort>5008</AgentPort> - port the User-ID XML API is listening on <Debug>1</Debug> - a debug flag (not implemented yet) <DHCPServer>main.lab.com</DHCPServer> - the DHCP Server at the site in question, used to do remote queries if there are 2 NPS servers at a site </user-id-script-config 3.2 User-ID agentless API, Microsoft NPS, Microsoft DHCP integration ( Work in progress ) Pre-requisite - Microsoft 2008 Server 64 Bit Microsoft NPS Microsoft DHCP server Palo Alto Networks PANOS 5.0 Scripts from https://github.com/cesanetwan/scripts/tree/agentle/paloalto Agentless branch - At least 1 Windows server running IAS/NPS - The Palo-Alto Networks firewall must run PANO 5.0 - As a convention, the script should be stored in a DFS share for replication purposes ie %domainname%scripts - The script needs to be configured to trigger on a Windows Event 6272
Revision History Date 12 April 2013 Revision 1.0 Comment Draft References https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script https://live.paloaltonetworks.com/docs/DOC-3664 https://live.paloaltonetworks.com/docs/DOC-3120 https://live.paloaltonetworks.com/docs/DOC-1807

Recomendados

User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-idAlberto Rivai
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)Forescout Technologies Inc
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New PerspectiveWen-Pai Lu
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
4 palo alto licenses
4 palo alto licenses4 palo alto licenses
4 palo alto licensesMostafa El Lathy
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 

Recomendados

User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-idAlberto Rivai
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)Forescout Technologies Inc
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New PerspectiveWen-Pai Lu
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
4 palo alto licenses
4 palo alto licenses4 palo alto licenses
4 palo alto licensesMostafa El Lathy
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptxInfosec
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...wosborne03
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id conceptsMostafa El Lathy
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall conceptsMostafa El Lathy
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Ivanti
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoringElasticsearch
 
Websphere MQ admin guide
Websphere MQ admin guideWebsphere MQ admin guide
Websphere MQ admin guideRam Babu
 
Alphorm.com Formation Active Directory 2022 : Multi Sites et Services
Alphorm.com Formation Active Directory 2022 : Multi Sites et ServicesAlphorm.com Formation Active Directory 2022 : Multi Sites et Services
Alphorm.com Formation Active Directory 2022 : Multi Sites et ServicesAlphorm
 
MDM - airwatch
MDM - airwatchMDM - airwatch
MDM - airwatchBharat Sinha
 
Exchange server.pptx
Exchange server.pptxExchange server.pptx
Exchange server.pptxVignesh kumar
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practicesSergey Kucherenko
 
NSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxNSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxAtif Raees
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Intro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance CenterIntro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance CenterCraig Jahnke
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authenticationAlberto Rivai
 

Más contenido relacionado

La actualidad más candente

2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptxInfosec
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...wosborne03
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id conceptsMostafa El Lathy
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall conceptsMostafa El Lathy
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Ivanti
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoringElasticsearch
 
Websphere MQ admin guide
Websphere MQ admin guideWebsphere MQ admin guide
Websphere MQ admin guideRam Babu
 
Alphorm.com Formation Active Directory 2022 : Multi Sites et Services
Alphorm.com Formation Active Directory 2022 : Multi Sites et ServicesAlphorm.com Formation Active Directory 2022 : Multi Sites et Services
Alphorm.com Formation Active Directory 2022 : Multi Sites et ServicesAlphorm
 
Exchange server.pptx
Exchange server.pptxExchange server.pptx
Exchange server.pptxVignesh kumar
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
NSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxNSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxAtif Raees
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Intro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance CenterIntro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance CenterCraig Jahnke
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 

La actualidad más candente (20)

Firewall
FirewallFirewall
Firewall
 
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall concepts
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoring
 
Websphere MQ admin guide
Websphere MQ admin guideWebsphere MQ admin guide
Websphere MQ admin guide
 
Alphorm.com Formation Active Directory 2022 : Multi Sites et Services
Alphorm.com Formation Active Directory 2022 : Multi Sites et ServicesAlphorm.com Formation Active Directory 2022 : Multi Sites et Services
Alphorm.com Formation Active Directory 2022 : Multi Sites et Services
 
MDM - airwatch
MDM - airwatchMDM - airwatch
MDM - airwatch
 
Exchange server.pptx
Exchange server.pptxExchange server.pptx
Exchange server.pptx
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practices
 
NSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxNSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptx
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7
 
Intro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance CenterIntro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance Center
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 

Destacado

Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authenticationAlberto Rivai
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)BAKOTECH
 
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...SWITCHPOINT NV/SA
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configurationAlberto Rivai
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideAlberto Rivai
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyAlberto Rivai
 
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...Palo Alto Networks
 
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZPalo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZPalo Alto Networks
 
Amazon virtual private cloud (vpc)
Amazon virtual private cloud (vpc)Amazon virtual private cloud (vpc)
Amazon virtual private cloud (vpc)Ki Sung Bae
 
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBECross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBEThe Reference
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2samis
 
Modern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto NetworksModern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto Networksdtimal
 
Vsphere 4-partner-training180
Vsphere 4-partner-training180Vsphere 4-partner-training180
Vsphere 4-partner-training180Suresh Kumar
 

Destacado (20)

Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authentication
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
 
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configuration
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
 
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
 
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZPalo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
 
Amazon virtual private cloud (vpc)
Amazon virtual private cloud (vpc)Amazon virtual private cloud (vpc)
Amazon virtual private cloud (vpc)
 
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBECross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
 
PAN Platform Summary
PAN Platform SummaryPAN Platform Summary
PAN Platform Summary
 
Modern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto NetworksModern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto Networks
 
FlexPod_for_HondaTH
FlexPod_for_HondaTHFlexPod_for_HondaTH
FlexPod_for_HondaTH
 
NATE-Central-Log
NATE-Central-LogNATE-Central-Log
NATE-Central-Log
 
Vsphere 4-partner-training180
Vsphere 4-partner-training180Vsphere 4-partner-training180
Vsphere 4-partner-training180
 

Similar a User id installation and configuration

Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...Sunil kumar Mohanty
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directoryprotect724rkeer
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...HakTrak Cybersecurity Squad
 
Ddns management system user's manual v1.0 20120301
Ddns management system user's manual v1.0 20120301Ddns management system user's manual v1.0 20120301
Ddns management system user's manual v1.0 20120301Eason Lai
 
Merged document
Merged documentMerged document
Merged documentsreeja_16
 
Standard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet DeploymentStandard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet DeploymentHitachi ID Systems, Inc.
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...Protect724tk
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
Obiee 11g security creating users groups and catalog permissions
Obiee 11g security creating users groups and catalog permissionsObiee 11g security creating users groups and catalog permissions
Obiee 11g security creating users groups and catalog permissionsRavi Kumar Lanke
 
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)Sundae Solutions Co., Ltd.
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
The Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud ComputingThe Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud ComputingHitachi ID Systems, Inc.
 

Similar a User id installation and configuration (20)

Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...
 
Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 Installation
 
Java EE Services
Java EE ServicesJava EE Services
Java EE Services
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directory
 
Buzzient oracle crmod_integration
Buzzient oracle crmod_integrationBuzzient oracle crmod_integration
Buzzient oracle crmod_integration
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
 
Ddns management system user's manual v1.0 20120301
Ddns management system user's manual v1.0 20120301Ddns management system user's manual v1.0 20120301
Ddns management system user's manual v1.0 20120301
 
Merged document
Merged documentMerged document
Merged document
 
Standard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet DeploymentStandard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet Deployment
 
Sap basis and_security_administration
Sap basis and_security_administrationSap basis and_security_administration
Sap basis and_security_administration
 
Setting up an odi agent
Setting up an odi agentSetting up an odi agent
Setting up an odi agent
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
 
PPT_CC.pptx
PPT_CC.pptxPPT_CC.pptx
PPT_CC.pptx
 
Amigopod+cp+customisation v1.0
Amigopod+cp+customisation v1.0Amigopod+cp+customisation v1.0
Amigopod+cp+customisation v1.0
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
Obiee 11g security creating users groups and catalog permissions
Obiee 11g security creating users groups and catalog permissionsObiee 11g security creating users groups and catalog permissions
Obiee 11g security creating users groups and catalog permissions
 
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
 
Visual connect
Visual connectVisual connect
Visual connect
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
The Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud ComputingThe Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud Computing
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Último (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

User id installation and configuration

  • 1. The “almost” complete guide of User-ID installation and configuration Alberto Rivai
  • 2. Contents 1. IP – User Mapping ........................................................................................................................... 3 a. IP - User Mapping ( with UID Agent ) .......................................................................................... 3 Create service account, configure account permission and install UID agent ............................... 3 Configure User-ID agent in the firewall .......................................................................................... 7 b. IP – User Mapping ( Agentless ) .................................................................................................. 8 Create service account and configure account permission ............................................................ 8 Configure UID in the firewall......................................................................................................... 10 2. User enumeration ......................................................................................................................... 13 3. IP – User Mapping through User-ID API............................................................................................ 15 3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration ................................................ 15 Lab Diagram .................................................................................................................................. 16 Installation .................................................................................................................................... 16 UIDConfig.xml variables description ............................................................................................. 24 3.2 User-ID agentless API, Microsoft NPS, Microsoft DHCP integration .................................... 24
  • 3. User Identification in PAN-OS 4.1 encompasses two primary functions: • • Mapping of those users to their current IP addresses Enumeration of users and their associated group membership. 1. IP – User Mapping a. IP - User Mapping ( with UID Agent ) The first section is to map users to their current IP addresses. This section uses UID agent to perform the function. Create service account, configure account permission and install UID agent 1. create service account ( example Labuid ) in the DC 2. Login to any computer that is a member of the domain, you do not need to install the UID agent in the AD server or Domain controller. 3. Login with an account that have local administrator permission 4. add Labuid to be a member of local Administrator group 5. download UID agent 6. run command prompt as administrator 7. install from command prompt 8. By default, the agent will be configured to log in as the user who installed the .msi file. In the screen shot that follows, you will see that the “Labuid” account that installed the agent is
  • 4. now the agent service account. Use the “Edit” button on the configuration window to change the service account to a restricted user account if desired. 9. Allow the Agent account to log on the member server as a service. On the member server open the “Local Security Policy” mmc. 10. Under the “Local Policies” > “User Rights Assignments” add the service account to the “Log in as a Service” option 11. For Win2K8, Add the service account user to the “Event Log Reader” and “Server Operator” built in local security groups in the domain. 12. For Win2K3, the user right “Manage auditing and security log” must be given to that account. Edit the Default Domain Controller Security Policy, found under Programs -> Admin Tools. Drill down to Security Settings -> Local Policies -> User Rights Assignment. You will see the screen below.
  • 5. In the right-hand pane, locate the user right “Manage auditing and security log”. Double click that entry. You will see that only Administrators have that user right. Click Add User or Group. Enter the username of the account you just created, and click on Check Names to confirm that account exists. The account name will become underlined.
  • 6. 13. Make sure that the service is running in Services window. 14. To check if you have configured the UID agent correctly, go to Start -> Palo Alto Networks -> User-ID Agent and open the UID agent GUI, go to Discovery Tab, you will see the Domain Controller listed. 15. To check if the UID agent successfully reads the event viewer and discovers the username go to Monitoring tab.
  • 7. 16. Next step is adding the UID agent in the firewall. Configure User-ID agent in the firewall 17. Login to the firewall 18. Go to Device tab 19. Then User Identification node, click User-ID Agents sub-tab 20. Click Add, and then enter the name, IP address and port (default 5007). Click OK then hit commit. 21. You will see the green button when the UID agent successfully connected to the firewall.
  • 8. 22. To verify that the firewall receive the User-IP mapping, ssh to the firewall and execute the below command admin@PA-200> show user ip-user-mapping all b. IP – User Mapping ( Agentless ) The IP – User Mapping function that was performed by the User-ID agent, can be replaced by an agentless User-ID. Agentless User-ID allow server to be run from the PAN device. The login which works on the User-ID agent - most likely will not work on the Agentless. (Additional permission are needed) Create service account and configure account permission 1. Create the service account in AD. This is utilized on the device. Be sure the user is part of the Distributed COM Users, Server Operators and Event Log Readers groups.
  • 9. 2. 3. 4. Device uses WMI Authentication. you must modify the CIMV2 security properties on the AD server the device connects to. Run wmimgmt.msc (on the domain controller server) on the command prompt to open the console and select properties as shown below. Select the Security tab of the WMI Control Properties and drill down to the CIMV2 folder. Select this folder and click the Security button. Add the service account from step 1. In this case, it's panrunner@nike.local. For this account, check off both Enable Account and Remote Enable.
  • 10. 5. After you’ve completed the permission setting for UID account , you need to setup the UID configuration in the firewall. Configure UID in the firewall 6. Login to the firewall GUI 7. Go to Device tab -> User Identification select User Mapping sub-tab 8. Under Server Monitoring, click Add and add IP address of the server to be monitored.
  • 11. 9. Click Edit on the Palo Alto Networks User ID Agent Setup 10. Be sure to configure with domainusername format for username under WMI Authentication tab along with valid credentials for that user. 11. 12. 13. 14. Enable Server Monitor options (enable security log/enable session) accordingly. Client probing is enabled by default so disable if desired. Click Commit Confirm connectivity via GUI and/or CLI as shown below.
  • 12. 15. Confirm ip-user-mapping is working as shown below.
  • 13. 2. User enumeration The second section is to configure Enumeration of users and their associated group membership. Before a security policy can be written for groups of users, the relationships between the users and the groups they are members of must be established. This information is retrieved from an LDAP directory, such as Active Directory or eDirectory. The firewall or an agent will access the directory and search for group objects. Each group object will contain a list of user objects that are members. This list will be evaluated and will become the list of users and groups available in security policy and authentication profiles. The only method of retrieving this data if through LDAP queries from the firewall. An agent system can be configured to proxy the firewall LDAP queries if the topology requires that. 1. Login to the firewall through GUI 2. Go to Device tab then Server Profile -> LDAP then click Add 3. List the directory servers that you want the firewall to use in the server list. You need to provide at least one server; two or more are recommended for failover purposes. The standard LDAP port for this configuration is 389. 4. Enter the name of the domain in the “Domain” field. The domain name should be a Netbios name 5. Select a directory “Type”. Based on the selected directory type, the firewall can populate default values for attributes and objectclasses used for user and group objects in the directory server. 6. Enter the base of the LDAP directory in the “Base” field. For example, if your Active Directory Domain is “acme.local”, your base would be “dc=acme,dc=local”, unless you want to leverage an Active Directory Global Catalog. 7. Enter a user name for a user with sufficient permission to read the LDAP tree. In an Active Directory environment, a valid username for this entry could be the “User Principal Name”, e.g. “administrator@acme.local” but also the users distinguished name, e.g. “cn=Administrator,cn=Users,dc=acme,dc=local”. 8. Enter and confirm the authentication password for the user account that you entered above. 9. In case you have difficulties identifying your directory base DN, you can simply follow these steps:
  • 14. a. Open the Active Directory Users and Groups management console on your domain controller. b. Select “Advanced features” in the “View” menu of the management console. c. Select the top of your domain object and select “Properties”. d. Navigate to the “Attribute Editor” in the properties window and scroll to the “distinguishedName” attribute. e. Copy the content of this attribute into the LDAP Server configuration “Base” field in the firewall management UI. Group Mapping Settings After the LDAP server has been configured, you need to configure how groups and users are retrieved from the directory and which users groups are to be included in policies. In order to create a new group mapping entry, navigate to the “Device > User Identification” menu and create a new entry under the “Group Mapping Settings” tab. In this configuration, you specify which LDAP server profile is going to be used to identify users and groups. • Select the “LDAP Server Profile” you configured earlier in the “LDAP Server Profile” section in the drop-down list under “Server Profile”. All LDAP Attributes and ObjectClasses will be pre-populated based on the directory server type you selected in the “LDAP Server Profile”. Under normal circumstances, you should not have to modify any of these attributes. Please refer to the Palo Alto Networks Administrator’s Guide for customizations of these attributes. The default update interval for changes in user groups is 3600 seconds (1 hour). You can customize this value to a shorter period if needed.
  • 15. Go to Group include list tab, leave this blank if you want to include ALL groups, or select the groups that you want to be mapped. 3. IP – User Mapping through User-ID API 3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration Pre-requisite - Microsoft 2008 Server 64 Bit Microsoft NPS Microsoft DHCP server Palo Alto Networks UID Agent - Scripts from https://github.com/cesanetwan/scripts/tree/master/paloalto - At least 1 Windows server running IAS/NPS - The server running the Palo-Alto User-ID Agent must have IP connectivity - The Palo-Alto User-ID Agent must have the User-ID XML API enabled - As a convention, the script should be stored in a DFS share for replication purposes ie %domainname%scripts - The script needs to be configured to trigger on a Windows Event 6272 - The User-ID timeout set in the Palo-Alto User ID Agent must be less than the session timeout on the wireless controller
  • 16. - Task must be configured to run under the designated sync account for the content filter at sites - Said account must be granted log on as service, log on as batch job rights, in addition to full permissions to read, write and modify to the installation directory of the Palo-Alto User ID Agent, and additionally be a member of the "DHCP Users" builtin group in Active Directory - The ignore_user_list and UIDConfig.xml must be present in the installation directory of the Palo-Alto User ID Agent, and customised to the sites configuration as per the samples in this repository - The scheduled task should be configured to queue new instances should the task be running when a new instance is called, and modified to fit the template provided in this repository This integration script was provided and developed by the guys from Catholic Education SA, mainly Gareth Hill. Their link can be found https://github.com/cesanetwan/scripts/wiki/CEFilter-UIDRADIUS-script The CESA UID RADIUS script is a means of enumerating 802.1x authorised users to the PaloAlto Networks User-ID Agent such that the appropriate filtering policies are applied automatically, allowing for a seamless user-experience with Palo Alto Networks NGFW and User-ID. Lab Diagram Installation The below steps are to be used for the above sample diagram. Please change the variables according to the instruction at https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script 1. Copy the below file UIDRADIUSScript.vbs to C:WindowsSYSVOLdomainscripts ( note that this can be changed to any location )
  • 17. UIDRADIUSScript.vb s 2. Copy the below file UIDConfig.xml to C:Program Files (x86)Palo Alto NetworksUser-ID Agent UIDConfig.xml 3. Create a scheduled task to trigger on Windows Event 6272
  • 18.
  • 19. Click on Properties Check Run with Highest Privileges
  • 20.
  • 21. Change to Queue a new instance
  • 22. Right click on the event and click export task to XML Edit the tasks XML to reflect the example XML file below User-id.xml Importantly, the Triggers and the Exec sections <Triggers> <EventTrigger> <Enabled>true</Enabled>
  • 23. <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=6272]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription> <ValueQueries> <Value name="SubjectUserName">Event/EventData/Data[@Name='SubjectUserName']</Value> <Value name="CallingStationID">Event/EventData/Data[@Name='CallingStationID']</Value> </ValueQueries> </EventTrigger> </Triggers> Exec Section <Exec> <Command>C:WindowsSystem32cscript.exe</Command> <Arguments>C:WindowsSYSVOLdomainscriptsUIDRADIUSScript.vbs "$(SubjectUserName)" $(CallingStationID)</Arguments> </Exec> Then delete the original task and import the modified XML. Type in your username and password
  • 24. Enable the task Test by authenticating user through 802.1x, you should then see 802.1x authenticated user appear in the User-ID agent monitoring tab. UIDConfig.xml variables description <?xml version="1.0" encoding="UTF-8"?> <user-id-script-config> <domain>LAB</domain> - the domain of the site in question <LogFormat>DHCP</LogFormat> - The log format - valid values are NPS, IAS and DHCP, for the various methods of processing this information, in this example we’re using DHCP <AgentServer>192.168.6.3</AgentServer> - server the UID agent is installed on <AgentPort>5008</AgentPort> - port the User-ID XML API is listening on <Debug>1</Debug> - a debug flag (not implemented yet) <DHCPServer>main.lab.com</DHCPServer> - the DHCP Server at the site in question, used to do remote queries if there are 2 NPS servers at a site </user-id-script-config 3.2 User-ID agentless API, Microsoft NPS, Microsoft DHCP integration ( Work in progress ) Pre-requisite - Microsoft 2008 Server 64 Bit Microsoft NPS Microsoft DHCP server Palo Alto Networks PANOS 5.0 Scripts from https://github.com/cesanetwan/scripts/tree/agentle/paloalto Agentless branch - At least 1 Windows server running IAS/NPS - The Palo-Alto Networks firewall must run PANO 5.0 - As a convention, the script should be stored in a DFS share for replication purposes ie %domainname%scripts - The script needs to be configured to trigger on a Windows Event 6272
  • 25. Revision History Date 12 April 2013 Revision 1.0 Comment Draft References https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script https://live.paloaltonetworks.com/docs/DOC-3664 https://live.paloaltonetworks.com/docs/DOC-3120 https://live.paloaltonetworks.com/docs/DOC-1807