Configure User-ID to Monitor Syslog Senders for User Mapping
Focus
Focus

Configure User-ID to Monitor Syslog Senders for User Mapping

Table of Contents

Configure User-ID to Monitor Syslog Senders for User Mapping

Obtaining and maintaining updated User-ID mappings from reliable sources is critical to deploying and enforcing a comprehensive Security policy. To obtain the IP address-to-username mappings from your existing network services that authenticate users, you can configure the PAN-OS integrated User-ID agent or Windows-based User-ID agent to parse Syslog messages from those authentication services. To ensure that you keep your user mappings up to date, you can also configure the User-ID agent to parse syslog messages for logout events. This ensures the firewall automatically deletes outdated mappings. Using syslog senders as sources for User-ID mappings allows you even more possibilities for deployment configurations.
To help you deploy your User-ID configuration, there are a number of best practices available. When configuring User-ID to obtain mappings from syslog senders, be sure to follow the best practices for deployment as recommended by Palo Alto Networks. Following these best practices helps to ensure that your deployment is simple, efficient, and successful.
Make sure to allow traffic on the ports used for User-ID to ensure that the firewall can receive the messages from the syslog senders to be able to map the IP addresses to usernames.
For more information, be sure to review the User-ID concepts for syslog information, which provides an example of a deployment that uses syslog messages as a source of User-ID mapping information.
To configure the CN-Series to obtain user mappings from a User-ID syslog sender source, use the dataplane interface. You can't use the management interface to obtain user mappings from a syslog sender source with the CN-Series.