By default security policy in the Palo Alto Firewalls supports configuration based on source and destination address, type of application or port used as part of the default service. This can be extended to support rules based on a users CalNet ID in some situations.
User-ID
The system used by the Palo Alto Networks equipment to connects source IP addresses to user names. This allows firewall policy to be written allowing only known users access.
How it Works
- Security policy including a list of users matches other requirements (such as source/destination address and service)
- The VSYS queries the User-ID database with the source network address of the connection
- If there is a username matching the source address in the database the name is returned to the VSYS
- The username returned is compared to the allowed list specified in the policy and the VSYS takes the appropriate action
Limitations
- User-ID only works with active users of the bSecure remote access service (GlobalProtect)
- User-ID does not currently work with group membership
- The User field must be filled out manually (usernames cannot be searched)
- Firewall policy will log the User-ID name for rules that match, there is no way to log a User-ID that does not match (you can not log a User-ID that does not match a policy to see who has not been configured)
- The User field users must be specified twice, once as the short CalNet ID and once preceded with berkeley.edu:
{calnet ID}
berkeley.edu\{calnet ID}
Requesting Access
User-ID is not enabled by default must be configured by the Network Operations group to activate the feature on a specific VSYS.
- Connect to the Telecom Catalogue (TelCat)
- Select Data Network Service
- Select bSecure - Departmental Firewall
- Select Existing Firewall for the Is this for a new or existing firewall service? question
- In the request field provide the name of the VSYS and note that you would like it enabled for User-ID
Using User-ID
An administrator starts by configuring security policy that will be used specifically for User-ID. After configuring the other required fields (source and destination, application, etc.) you then manually enter a list of CalNet ID's twice in the Users tab. Commit the policy to Panorama and then push to the firewall.
Please note that this example image only contains a single entry for each name. You are now required to enter users in two different formats as described above.
Logging must be enabled on the policy entry for you to verify results in the log. Commit your policy and then push it to your VSYS.
Once it is in place you can see the matched usernames in the Monitor tab for your log entries.
If you do not see the Source User column you need to configure the system to display it by clicking on the pull-down next to any existing column, select columns, and then selecting Source User.