Configure User-ID for Prisma Access Using the PAN-OS Integrated User-ID Agent
Focus
Focus

Configure User-ID for Prisma Access Using the PAN-OS Integrated User-ID Agent

Table of Contents

Configure User-ID for Prisma Access Using the PAN-OS Integrated User-ID Agent

The following procedure shows how to configure the PAN-OS integrated User-ID agent on the firewall for IP address-to-username mapping. The integrated User-ID agent performs the same tasks as the Windows-based agent with the exception of NetBIOS client probing. While we support WMI probing, we do not recommend it.
  1. Create the User-ID service account in the Windows Active Directory (AD) server that is being used by the authentication server.
    Be sure that the user you create is part of the following groups:
    • Distributed COM Users
    • Event Log Readers
    • Server Operators
    We recommend only making these group associations. You do not have to configure Domain Admin or Enterprise Admin privileges for the User-ID service account to work correctly. Giving privileges to the account that aren’t required can give your network a larger attack surface.
  2. Configure Windows Management Instrumentation (WMI) on the AD server.
    The device uses WMI Authentication and you must modify the CIMV2 security properties on the AD server that connects to the device.
    1. Open a command prompt window and run the wmimgmt.msc command.
    2. In the WMI Control pane, right-click WMI Control, choose Properties, and select the Security tab.
  3. Make the following changes in the CIMV2 folder:
    1. Select the CIMV2 folder.
    2. Click Security.
    3. Click Add
    4. Select the service account you created in Step 1.
      This example uses the UserID user with the email of userid@example.com.
    5. Check Allow for the Enable Account and Remote Enable for the account you created.
    6. Click Apply.
    7. Click OK.
  4. In Panorama, select DeviceUser IdentificationUser Mapping and click the gear icon to edit the settings.
    Be sure that you have selected the Remote_Network_Template at the top of the page.
  5. Configure the Windows Remote Management (WinRM) protocol to monitor your Active Directory server.