This site requires JavaScript to be enabled
An updated version of this article is available

bSecure User Specific Firewall Security Policy With User-ID

67 views

6.0 - Last modified on 2026-02-27 Revised by Sean Schluntz

5.0 - Last modified on 2022-11-01 Revised by Sean Schluntz

4.0 - Last modified on 2021-08-09 Revised by Sean Schluntz

3.0 - Last modified on 2021-05-05 Revised by Sean Schluntz

2.0 - Last modified on 2020-07-27 Revised by Sean Schluntz

1.0 - Created on 2020-07-27 Authored by Sean Schluntz

By default security policy in the Palo Alto Firewalls supports configuration based on source and destination address, type of application or port used as part of the default service. This can be extended to support rules based on a users CalNet ID in some situations.

User-ID

The system used by the Palo Alto Networks equipment to connects source IP addresses to user names. This allows firewall policy to be written allowing only known users access.

How it Works

  1. Security policy including a list of users matches other requirements (such as source and destination address)
  2. The VSYS queries the User-ID system with the source network address of the connection
  3. If there is a username matching the source address in User-ID the name is returned to the VSYS
  4. The username returned is compared to the allowed list specified in the policy and the VSYS takes the appropriate action

When a policy entry matches other requirements (such as source and destination address and application) and specifies usernames the system will then query the U

Limitations

Requesting Access

User-ID is not enabled by default must be configured by the Network Operations group to activate the feature on a specific VSYS.

  1. Connect to the Telecom Catalogue (TelCat)
  2. Select Data Network Service
  3. Select bSecure - Departmental Firewall
  4. Select Existing Firewall for the Is this for a new or existing firewall service? question
  5. In the request field provide the name of the VSYS and note that you would like it enabled for User-ID

Using User-ID

An administrator starts by configuring security policy that will be used specifically for User-ID. After configuring the other required fields (source and destination, application, etc.) you then manually enter a list of CalNet ID's in the Users tab.

(Policy-User-Field.png)

Logging must be enabled on the policy entry for you to verify results in the log. Commit your policy and then push it to your VSYS.

Once it is in place you can see the matched usernames in the Monitor tab for your log entries.

(Monitor-Source-User.png)

If you do not see the Source User column you need to configure the system to display it by clicking on the pulldown next to any existing column, select columns, and then selecting Source User.

(Monitor-User-Column.png) 

Authored by Sean Schluntz
Last modified 2020-07-27 10:14:58