How to Install and Configure PANAgent

8/10/2019 How to Install and Configure PANAgent

1/23

PANOS 4.0 1

How to Install and Configure PanAgent for Active Directory

One of the unique attributes of the Palo Alto Networks firewall is the ability to control traffic

based upon usernames and group names. In PANOS 4.0, there are three different server-based

agents that are used to track users:

PanAgent

o User identification for Active Directoryo

Agent polls the domain controllers to determine who is logged into what IP, andsends that information to the PA firewalls

o

Discussed in this document

LDAPAgento User identification for LDAP servers, such as eDirectory

o Discussed in this knowledge base document:

https://live.paloaltonetworks.com/docs/DOC-1445

TSAgent

o User identification on Terminal Servers/Citrix Servers

o The agent is installed on each terminal server, and sends the username/IP

information to the PA firewalls

o

Installation steps are in the PANOS 4.0 Administrators Guide, found on oursupport site

For a technical overview of each of these agents, please read the User Identification Tech Note PANOS 4.0 found at https://live.paloaltonetworks.com/docs/DOC-1807.

This document will give the steps to install and configure the PanAgent for Active Directory,which from now on will be referred to as the PanAgent.


2/23

PANOS 4.0 2

To determine beforehand:

Determine onto which machine the PanAgent will be installed. That machine must:

o be running Windows XP service pack 2 or higher, or Windows Server 2003

service pack 2 or higher, or Windows Server 2008

o be a member of the domain to be monitored

o have network connectivity to the DCs and to the management port of the PAN

firewall

o should be near the DCs that it will be querying, as it will be polling the DCs veryfrequently

Determine which user account will be used by the PanAgent to query the domain. You

can either use a Domain Administrator account, or set up a more restrictive account as

described in Appendix A of this document.

Determine which domain (with corresponding domain controllers) that the PanAgent will

be querying. Note that you need one PanAgent service for each domain. One PanAgentcan handle a maximum of 64,000 users in a domain, and can talk with up to 100 DCs.


3/23

PANOS 4.0 3

Part 1: Installing and Configuring the PanAgent

1. Login to the Windows machine that you will use to run the PanAgent. Login as a userwith administrator privileges on that machine.

2. Download the latest version of the User Identification Agent for AD (PanAgent.msi)

from https://support.paloaltonetworks.com. Select the version that ends with -AD.

3. Install that file, accepting the all the defaults. This installs the software as a service on the

Windows machine.

4. The next step is to edit that service using the services.mscadministrative tool. Start thetool, and look for your new service in the list.


4/23

PANOS 4.0 4

5. Edit the PanAgentService. You will see this screen:

On the Log On tab, specify the username and password of an account that has the ability

to read the domain controller security logs. Refer to Appendix A on page 15 for the stepsto create such an account.

Click Apply, and you will see the following pop-up:


5/23

PANOS 4.0 5

6. In order for the service to run as that user, you must start or restart that service. Use the

General tab to do that now.

7. Close the Services control panel.

8. Start the PanAgent configuration program (Start-> Programs-> Palo Alto Networks-

> User Identification Agent). In the top-right corner, click Configure.

9. On the configuration screen, fill in the following fields:

Domain name- enter the FQDN of the domain (example: acme.com). Do not usethe NetBIOS name.

Port number of your choosing- can be any port number that is not currently usedon this machine. Make sure the local machine does not have a Windows firewallthat is blocking inbound connections on that port.

Domain controllers IP addresses- You should add in ALL the DCs in the

domain here, since users can be authenticated with any DC in the domain. You

can enter up to 10 IP addresses by default, up to 100 if you make a configuration

change.

1

Note: the IP at the top of this list is the one and only DC that will be queried for

user and group membership.

Allow list- list of subnets that contain users you want to track.

Ignore list- specific IP addresses that fall into the Allow List range that you donot want to track. For example, you should enter here the IPs of your Terminal

Servers. (Note that if you want to track users on a Terminal Server, you must

install the PAN Terminal Services Agent on each Terminal Server.)

1To allow the agent to talk to up to 100 DCs, edit the config.xml file found in the install directory of the agent. Stop

the agent service, change the file to say 100, and start the agent service.


6/23

PANOS 4.0 6

Here is an example:

In the bottom left corner of that same window, there are various timer values that you

may want to adjust after the PanAgent is operational. For now, accept the default values.

Once you are finished, click OK.

10.On the main screen, click on Get LDAP treebutton. The PanAgent service will query

the first DC in the list, and retrieve a list of all of the groups in the domain. This will takea few minutes if the domain is large. Once the groups are retrieved, information will

appear:


7/23

PANOS 4.0 7

11.It is best practice to filter which AD groups will be tracked and forwarded to the PA

firewall. You can configure this using the Filter Group Membersand Ignore Groupsbuttons are in the top right-corner of the main screen. You will want to configure one or

the other, but probably not both.

Use Filter Group Membersif you have a large number of groups in the domain,and you want to specify exactly which groups the PanAgent will look for in the

domain security logs.

Use Ignore Groupsif you want the PanAgent to pay attention to all of the AD

groups, but ignore a handful of those groups.

Click on Filter Group Members, and the screen below appears. Select the AD groupsyou want to control using the PAN firewall.

Only the groups in the right-hand column will appear in the policy configuration screen

on the PAN firewall, as shown here:


8/23

PANOS 4.0 8

Best practice: you should include domain users in the list of filtered groups, since the

PAN Agent only keeps track of users that are members of the groups listed on the FilterGroups page.

12.You can monitor the agent status window in the top left corner of the GUI.

Possible status codes:

Connection Failed Please start the PanAgent service first

Reading domainname\enterprise admins Membership

No errors

13.Click on Get Groups, and a list of domain groups will appear in the pull-down list.

If you select a particular group from that pull-down list, the users who are a member of

that group are retrieved and displayed in the text box beneath.


9/23

PANOS 4.0 9

14.After the agent has read all the security groups, it will read through the 50,000 most

recent log entries in each Domain Controllers security log, searching for login events2.

(Again, this may take a while.) The PanAgent will create list of usernames and associated

IPs. Click on Get Allto see the IP to username mappings.

15.If you have a particular IP address in mind, and want to find out which user maps to thatIP, you can enter that IP to the left of the Get IP Informationbutton. Click that button,

and the name associated with that IP will appear.

16.To confirm that the server running the PanAgent is listening on the port you configured

in a previous step, use the following command on the Windows machine:

netstat an | find xxxx

where xxxx is the port number you configured earlier. Here is example output, showing

that the UserID agent is in fact listening on port 9999:

2Event IDs on Windows 2000 & 2003: 672,673,674. Event IDs on Windows Server 2008: 4624,4768,4769,4770.


10/23

PANOS 4.0 10

Part 2: Configuring the firewall to communicate with the PanAgent

17.Login to the Palo Alto Networks firewall as an administrator. Go to Devicetab -> User

Identification.

18.Under the section titled User Identification, Addthe IP address and port of the

PanAgent that you just configured. Here is an example:

19.You must also enable user identification on each zone that you want to monitor. On theNetworktab -> Zonespage, edit the appropriate zone. In the bottom left corner of the

zone properties page, check the box to Enable User Identification.

20.The firewall is now configured to talk to the PanAgent. Commityour changes at this

time.


11/23

PANOS 4.0 11

21.To confirm everything is configured properly, bring up a CLI to the firewall, and execute

this command:

show user pan-agent statistics

Things are working properly if you get output similar to below:

If you see the message No pan-agent configured, make sure you have committed your

configuration.

22.

Now view the list of usernames and IPs that the firewall has received from the PanAgent,

using this command:

show user ip-user-mapping

If there is a long list of users, and you want to determine if a particular user (example:jpage) is in the list, use this command:

show user ip-user-mapping | match jpage

Or you can search the output for a particular source IP:

show user ip-user-mapping | match 10.1.2.3


12/23

PANOS 4.0 12

23.You can view the defined AD usernames and associated groups using:

show user pan-agent user-IDs

In this example, the AD groups are being filtered to only keep track of the domain

users group.


13/23

PANOS 4.0 13

Part 3: Testing

24.At this point, you can test by logging into the domain as a regular user on machine in theIP address range you specified to be monitored by the agent. After a few minutes,

usernames will appear in the traffic logs (Monitortab -> Logs-> Traffic) as well as in

the ACC drill-downs of particular applications.

25.On the firewall, go to the Policiestab-> Securityscreen, and select one of the policies.

Edit the value in the Source Usercolumn. In the window that appears, you will see alisting of Active Directory Groupsthese were pulled from the domain. Recall that if

you filtered the groups, only the groups you specified will appear here.

Part 4: Troubleshooting Hints

26.If the firewall is not successfully communicating with the PanAgent, make sure that theport you specified is open on the intermediate network. You can test this by telneting

from the firewall to the Windows machine:

If there is a reply from the Windows machine (as shown above), you know that there isntanother device blocking the communication.

27.For testing purposes, you can clear the logged-in user database on the PAN firewall,

either for a single-IP, or the complete database:

clear user-cache ip 1.1.1.9

clear user-cache all


14/23

PANOS 4.0 14

28.Ignoring Service Accounts

Some customers have batch files that execute after a user logs in, and these batch files

run as a different AD account. That service account may appear in the PanAgent user

database. If that is the case, you can tell the PanAgent to ignore that particular useraccount. To do this, create a file called ignore_user_list.txt in the directory in which the

PanAgent was installed (typically c:\Program Files\Palo Alto Networks\PanAgent). Insert

into that file the domainname\username of the service account that you want thePanAgent to ignore. Note that the username is case sensitive.

29.The PanAgent maintains a log file which is very useful for troubleshooting. The log filecan be viewed using File-> Show Logs.

To enable detailed information on the PanAgent operation, go to File-> Debugand

select Verbose. The logs will now display more detailed messages.


15/23

PANOS 4.0 15

Appendix A

Creating a Domain Account for use with PanAgent Service

The PanAgent must have the ability to read the security log on the domain controllers. In

particular, the user right Manage auditing and security log must be given to that account.The Domain Admins group has that user right by default. If you want to create an account

that has more restrictive access than Domain Admins, follow these steps.

Part 1: Creating the New Account , and Assigning the User Right

1. Login to a domain controller as an administrator. Start Active Directory Users andComputers. In an OU that is appropriate, create a new account. You can give it any name

youd like.

Assign a password to the account, and uncheck the box user must change password at

next logon.


16/23

PANOS 4.0 16

2. Now Edit the Default Domain Controller Security Policy, found under Programs->

Admin Tools. Drill down to Security Settings -> Local Policies -> User RightsAssignment. You will see the screen below.

3. In the right-hand pane, locate the user right Manage auditing and security log. Double-

click that entry. You will see that only Administrators have that user right.


17/23

PANOS 4.0 17

4. Click Add User or Group.

5. Click Browse.

6. Enter the username of the account you just created, and click on Check Names to confirm

that account exists. The account name will become underlined.

7. Click Ok two times. The user right will now look like this:

8. Close that screen, as well as exit from the Default Domain Controller Security Policy

tool.


18/23

PANOS 4.0 18

9. In order for this policy to take effect immediately, run this command on each domain

controller in the domain:

If you do not run this command on each DC, it will take up to 60 minutes for this change

to be propagated onto each DC.

Part 2: Assigning Permissions on PanAgent Installation DirectoryYou must edit the permissions on the installation directory for the PAN Agent and givethe new account full control. Note that if you do not change the permissions, the new pan

agent account will not be able to create the troubleshooting log in this directory.

10.Use Windows Explorer to drill down to C:\Program Files\Palo Alto Networks\PanAgent.

Right-click the directory name PanAgent, and select Properties.


19/23

PANOS 4.0 19

11.In the PanAgent Properties window, select the Securitytab, and click on the Advanced

button. The window will be similar to the following:

12.Click Add, and enter the name of the new account. Click Check Namesto confirm that

you spelled the account name correctly.


20/23

PANOS 4.0 20

13.Click Ok, and the following screen will appear.

14.

In the Permission Entry for PanAgent window, check the box to Allow Full Control. Allthe boxes below it will become checked. Click Ok. The Advanced Security Settings for

PanAgent window will now have a new entry at the top of the list:

15.Click Oktwice to close all permissions windows.


21/23


22/23

PANOS 4.0 22

20.(OPTIONAL) If you want to further restrict this account from being able to clear the

security log, refer to Microsoft KB 323076.


23/23

PANOS 4 0 23

Part 4: Configuring the PAN Agent Service to Use the New Account

21.At this point, you can login to the server that is running the PAN PanAgent, and

configure the PanAgent service to use the newly-created account.

22.Restart the service so that it will use the new account.

23.Confirm that you can view the troubleshooting log by starting the PanAgent GUI, and

going to File-> Show Logs.

If the log file does not exist, make sure you completed the steps in part 2 of this appendix.

How to Install and Configure PANAgent

Documents

Transcript of How to Install and Configure PANAgent