By default security policy in the Palo Alto Firewalls supports configuration based on source and destination address, type of application or port used as part of the default service. This can be extended to support rules based on a users CalNet ID in some situations.
User-ID is enabled on all bSecure VSYS and can be used at any time.
User-ID
The system used by the Palo Alto Networks equipment to connects source IP addresses to user names. This allows firewall policy to be written allowing only known users access.
How it Works
- Security policy including a list of users matches other requirements (such as source/destination address and service)
- The VSYS queries the User-ID database with the source network address of the connection
- If there is a username matching the source address in the database the name is returned to the VSYS
- The username returned is compared to the allowed list specified in the policy and the VSYS takes the appropriate action
Limitations
- User-ID only works with active and connected users of the bSecure remote access service (GlobalProtect)
- The User field does not allow searching all users, unless they have been configured in Group Mapping
- Manually entered users must be specified with the Berkeley domain in the format berkeley.edu\{calnet ID}
- Firewall policy will log the User-ID name for rules that match, there is no way to log a User-ID that does not match (you can not log a User-ID that does not match a policy to see who has not been configured)
Note: User-ID now supports group user management through CalGroups. Please see article KB0013715 for more information.
Using User-ID
An administrator starts by configuring security policy that will be used specifically for User-ID. After configuring the other required fields (source and destination, application, etc.) you then manually enter a list of CalNet ID's, using the format berkeley.edu\{calnet ID}, in the users section of the Source tab. Commit the policy to Panorama and then push to the firewall.
Important: You can put any address(es) into the Source Address field, but currently User-ID is only provided by GlobalProtect, and so will only source from the UCB-VPN_All set of networks. We recommend specifying that source address to prevent confusion in the future.
Logging must be enabled on the policy entry for you to verify results in the log. Commit your policy and then push it to your VSYS.
Once it is in place you can see the matched usernames in the Monitor tab for your log entries.
If you do not see the Source User column you need add it to your displayed columns. Do this by hovering over one of the columns (source used in the example image), selecting the small down arrow, hovering your mouse over Columns, and then selecting Source User.