User-ID Overview
Table of Contents
User-ID Overview
User-ID™ enables you to identify all users on your network
using a variety of techniques to ensure that you can identify users
in all locations using a variety of access methods and operating
systems, including Microsoft Windows, Apple iOS, Mac OS, Android,
and Linux®/UNIX. Knowing who your users are instead of just their
IP addresses enables:
- Visibility—Improved visibility into application usage based on users gives you a more relevant picture of network activity. The power of User-ID becomes evident when you notice a strange or unfamiliar application on your network. Using either ACC or the log viewer, your security team can discern what the application is, who the user is, the bandwidth and session consumption, along with the source and destination of the application traffic, as well as any associated threats.
- Policy control—Tying user information to Security policy rules improves safe enablement of applications traversing the network and ensures that only those users who have a business need for an application have access. For example, some applications, such as SaaS applications that enable access to Human Resources services (such as Workday or Service Now) must be available to any known user on your network. However, for more sensitive applications you can reduce your attack surface by ensuring that only users who need these applications can access them. For example, while IT support personnel may legitimately need access to remote desktop applications, the majority of your users do not.
- Logging, reporting, forensics—If a security incident occurs, forensics analysis and reporting based on user information rather than just IP addresses provides a more complete picture of the incident. For example, you can use the pre-defined User/Group Activity to see a summary of the web activity of individual users or user groups, or the SaaS Application Usage report to see which users are transferring the most data over unsanctioned SaaS applications.
To enforce user- and group-based policies, the firewall must
be able to map the IP addresses in the packets it receives to usernames.
User-ID provides many mechanisms to collect this User Mapping information.
For example, the User-ID agent monitors server logs for login events
and listens for syslog messages from authenticating services. To
identify mappings for IP addresses that the agent didn’t map, you
can configure Authentication Policy to redirect HTTP requests to a Captive Portal login. You can
tailor the user mapping mechanisms to suit your environment, and even
use different mechanisms at different sites to ensure that you are
safely enabling access to applications for all users, in all locations,
all the time.
To enable user- and group-based policy enforcement, the firewall
requires a list of all available users and their corresponding group
memberships so that you can select groups when defining your policy
rules. The firewall collects Group Mapping information by connecting directly to your LDAP directory server,
or using XML API integration with your directory server.
See User-ID Concepts for information on how User-ID works and Enable User-ID for instructions on setting up User-ID.
User-ID does not work in environments
where the source IP addresses of users are subject to NAT translation
before the firewall maps the IP addresses to usernames.