How to Install and Configure PanAgent for Active Directory
Transcription
How to Install and Configure PanAgent for Active Directory
How to Install and Configure PanAgent for Active Directory One of the unique attributes of the Palo Alto Networks firewall is the ability to control traffic based upon usernames and group names. In PANOS 4.0, there are three different server-based agents that are used to track users: PanAgent o User identification for Active Directory o Agent polls the domain controllers to determine who is logged into what IP, and sends that information to the PA firewalls o Discussed in this document LDAPAgent o User identification for LDAP servers, such as eDirectory o Discussed in this knowledge base document: https://live.paloaltonetworks.com/docs/DOC-1445 TSAgent o User identification on Terminal Servers/Citrix Servers o The agent is installed on each terminal server, and sends the username/IP information to the PA firewalls o Installation steps are in the PANOS 4.0 Administrators Guide, found on our support site For a technical overview of each of these agents, please read the “User Identification Tech Note – PANOS 4.0” found at https://live.paloaltonetworks.com/docs/DOC-1807. This document will give the steps to install and configure the PanAgent for Active Directory, which from now on will be referred to as the PanAgent. PANOS 4.0 1 To determine beforehand: Determine onto which machine the PanAgent will be installed. That machine must: o be running Windows XP service pack 2 or higher, or Windows Server 2003 service pack 2 or higher, or Windows Server 2008 o be a member of the domain to be monitored o have network connectivity to the DCs and to the management port of the PAN firewall o should be near the DCs that it will be querying, as it will be polling the DCs very frequently Determine which user account will be used by the PanAgent to query the domain. You can either use a Domain Administrator account, or set up a more restrictive account as described in Appendix A of this document. Determine which domain (with corresponding domain controllers) that the PanAgent will be querying. Note that you need one PanAgent service for each domain. One PanAgent can handle a maximum of 64,000 users in a domain, and can talk with up to 100 DCs. PANOS 4.0 2 Part 1: Installing and Configuring the PanAgent 1. Login to the Windows machine that you will use to run the PanAgent. Login as a user with administrator privileges on that machine. 2. Download the latest version of the User Identification Agent for AD (PanAgent.msi) from https://support.paloaltonetworks.com. Select the version that ends with “-AD”. 3. Install that file, accepting the all the defaults. This installs the software as a service on the Windows machine. 4. The next step is to edit that service using the services.msc administrative tool. Start the tool, and look for your new service in the list. PANOS 4.0 3 5. Edit the PanAgentService. You will see this screen: On the Log On tab, specify the username and password of an account that has the ability to read the domain controller security logs. Refer to Appendix A on page 15 for the steps to create such an account. Click “Apply”, and you will see the following pop-up: PANOS 4.0 4 6. In order for the service to run as that user, you must start or restart that service. Use the General tab to do that now. 7. Close the Services control panel. 8. Start the PanAgent configuration program (Start -> Programs -> Palo Alto Networks > User Identification Agent). In the top-right corner, click Configure. 9. On the configuration screen, fill in the following fields: Domain name- enter the FQDN of the domain (example: acme.com). Do not use the NetBIOS name. Port number of your choosing- can be any port number that is not currently used on this machine. Make sure the local machine does not have a Windows firewall that is blocking inbound connections on that port. Domain controllers IP addresses - You should add in ALL the DCs in the domain here, since users can be authenticated with any DC in the domain. You can enter up to 10 IP addresses by default, up to 100 if you make a configuration change.1 Note: the IP at the top of this list is the one and only DC that will be queried for user and group membership. Allow list- list of subnets that contain users you want to track. Ignore list- specific IP addresses that fall into the Allow List range that you do not want to track. For example, you should enter here the IPs of your Terminal Servers. (Note that if you want to track users on a Terminal Server, you must install the PAN Terminal Services Agent on each Terminal Server.) 1 To allow the agent to talk to up to 100 DCs, edit the config.xml file found in the install directory of the agent. Stop the agent service, change the file to say <max-dc>100</max-dc>, and start the agent service. PANOS 4.0 5 Here is an example: In the bottom left corner of that same window, there are various timer values that you may want to adjust after the PanAgent is operational. For now, accept the default values. Once you are finished, click OK. 10. On the main screen, click on Get LDAP tree button. The PanAgent service will query the first DC in the list, and retrieve a list of all of the groups in the domain. This will take a few minutes if the domain is large. Once the groups are retrieved, information will appear: PANOS 4.0 6 11. It is best practice to filter which AD groups will be tracked and forwarded to the PA firewall. You can configure this using the Filter Group Members and Ignore Groups buttons are in the top right-corner of the main screen. You will want to configure one or the other, but probably not both. Use Filter Group Members if you have a large number of groups in the domain, and you want to specify exactly which groups the PanAgent will look for in the domain security logs. Use Ignore Groups if you want the PanAgent to pay attention to all of the AD groups, but ignore a handful of those groups. Click on Filter Group Members, and the screen below appears. Select the AD groups you want to control using the PAN firewall. Only the groups in the right-hand column will appear in the policy configuration screen on the PAN firewall, as shown here: PANOS 4.0 7 Best practice: you should include “domain users” in the list of filtered groups, since the PAN Agent only keeps track of users that are members of the groups listed on the Filter Groups page. 12. You can monitor the agent status window in the top left corner of the GUI. Possible status codes: Connection Failed Please start the PanAgent service first Reading domainname\enterprise admins Membership No errors 13. Click on Get Groups, and a list of domain groups will appear in the pull-down list. If you select a particular group from that pull-down list, the users who are a member of that group are retrieved and displayed in the text box beneath. PANOS 4.0 8 14. After the agent has read all the security groups, it will read through the 50,000 most recent log entries in each Domain Controller’s security log, searching for login events2. (Again, this may take a while.) The PanAgent will create list of usernames and associated IPs. Click on Get All to see the IP to username mappings. 15. If you have a particular IP address in mind, and want to find out which user maps to that IP, you can enter that IP to the left of the Get IP Information button. Click that button, and the name associated with that IP will appear. 16. To confirm that the server running the PanAgent is listening on the port you configured in a previous step, use the following command on the Windows machine: netstat –an | find “xxxx” where xxxx is the port number you configured earlier. Here is example output, showing that the UserID agent is in fact listening on port 9999: 2 Event IDs on Windows 2000 & 2003: 672,673,674. Event IDs on Windows Server 2008: 4624,4768,4769,4770. PANOS 4.0 9 Part 2: Configuring the firewall to communicate with the PanAgent 17. Login to the Palo Alto Networks firewall as an administrator. Go to Device tab -> User Identification. 18. Under the section titled “User Identification”, Add the IP address and port of the PanAgent that you just configured. Here is an example: 19. You must also enable user identification on each zone that you want to monitor. On the Network tab -> Zones page, edit the appropriate zone. In the bottom left corner of the zone properties page, check the box to Enable User Identification. 20. The firewall is now configured to talk to the PanAgent. Commit your changes at this time. PANOS 4.0 10 21. To confirm everything is configured properly, bring up a CLI to the firewall, and execute this command: show user pan-agent statistics Things are working properly if you get output similar to below: If you see the message “No pan-agent configured”, make sure you have committed your configuration. 22. Now view the list of usernames and IPs that the firewall has received from the PanAgent, using this command: show user ip-user-mapping If there is a long list of users, and you want to determine if a particular user (example: jpage) is in the list, use this command: show user ip-user-mapping | match jpage Or you can search the output for a particular source IP: show user ip-user-mapping | match 10.1.2.3 PANOS 4.0 11 23. You can view the defined AD usernames and associated groups using: show user pan-agent user-IDs In this example, the AD groups are being filtered to only keep track of the “domain users” group. PANOS 4.0 12 Part 3: Testing 24. At this point, you can test by logging into the domain as a regular user on machine in the IP address range you specified to be monitored by the agent. After a few minutes, usernames will appear in the traffic logs (Monitor tab -> Logs -> Traffic) as well as in the ACC drill-downs of particular applications. 25. On the firewall, go to the Policies tab-> Security screen, and select one of the policies. Edit the value in the Source User column. In the window that appears, you will see a listing of Active Directory Groups—these were pulled from the domain. Recall that if you filtered the groups, only the groups you specified will appear here. Part 4: Troubleshooting Hints 26. If the firewall is not successfully communicating with the PanAgent, make sure that the port you specified is open on the intermediate network. You can test this by telneting from the firewall to the Windows machine: If there is a reply from the Windows machine (as shown above), you know that there isn’t another device blocking the communication. 27. For testing purposes, you can clear the logged-in user database on the PAN firewall, either for a single-IP, or the complete database: clear user-cache ip 1.1.1.9 clear user-cache all PANOS 4.0 13 28. Ignoring Service Accounts Some customers have batch files that execute after a user logs in, and these batch files run as a different AD account. That service account may appear in the PanAgent user database. If that is the case, you can tell the PanAgent to ignore that particular user account. To do this, create a file called “ignore_user_list.txt” in the directory in which the PanAgent was installed (typically c:\Program Files\Palo Alto Networks\PanAgent). Insert into that file the domainname\username of the service account that you want the PanAgent to ignore. Note that the username is case sensitive. 29. The PanAgent maintains a log file which is very useful for troubleshooting. The log file can be viewed using File -> Show Logs. To enable detailed information on the PanAgent operation, go to File -> Debug and select Verbose. The logs will now display more detailed messages. PANOS 4.0 14 Appendix A Creating a Domain Account for use with PanAgent Service The PanAgent must have the ability to read the security log on the domain controllers. In particular, the user right “Manage auditing and security log” must be given to that account. The Domain Admins group has that user right by default. If you want to create an account that has more restrictive access than Domain Admins, follow these steps. Part 1: Creating the New Account, and Assigning the User Right 1. Login to a domain controller as an administrator. Start Active Directory Users and Computers. In an OU that is appropriate, create a new account. You can give it any name you’d like. Assign a password to the account, and uncheck the box user must change password at next logon. PANOS 4.0 15 2. Now Edit the Default Domain Controller Security Policy, found under Programs -> Admin Tools. Drill down to Security Settings -> Local Policies -> User Rights Assignment. You will see the screen below. 3. In the right-hand pane, locate the user right “Manage auditing and security log”. Doubleclick that entry. You will see that only Administrators have that user right. PANOS 4.0 16 4. Click Add User or Group. 5. Click Browse. 6. Enter the username of the account you just created, and click on Check Names to confirm that account exists. The account name will become underlined. 7. Click Ok two times. The user right will now look like this: 8. Close that screen, as well as exit from the Default Domain Controller Security Policy tool. PANOS 4.0 17 9. In order for this policy to take effect immediately, run this command on each domain controller in the domain: If you do not run this command on each DC, it will take up to 60 minutes for this change to be propagated onto each DC. Part 2: Assigning Permissions on PanAgent Installation Directory You must edit the permissions on the installation directory for the PAN Agent and give the new account full control. Note that if you do not change the permissions, the new pan agent account will not be able to create the troubleshooting log in this directory. 10. Use Windows Explorer to drill down to C:\Program Files\Palo Alto Networks\PanAgent. Right-click the directory name PanAgent, and select Properties. PANOS 4.0 18 11. In the PanAgent Properties window, select the Security tab, and click on the Advanced button. The window will be similar to the following: 12. Click Add, and enter the name of the new account. Click Check Names to confirm that you spelled the account name correctly. PANOS 4.0 19 13. Click Ok, and the following screen will appear. 14. In the Permission Entry for PanAgent window, check the box to Allow Full Control. All the boxes below it will become checked. Click Ok. The Advanced Security Settings for PanAgent window will now have a new entry at the top of the list: 15. Click Ok twice to close all permissions windows. PANOS 4.0 20 Part 3: Testing the New Account 16. To perform an initial test, logout of the DC, and log back into the DC as the new user (PanUserID). 17. While logged in as the new user, start event viewer (hint: from a command prompt, you can type eventvwr.msc.) 18. Confirm that the new user can view the events in the security log. 19. Use View -> Find to search for login events (event ID 672 on Windows 2000/2003, event ID 4624 on Windows 2008). You should see numerous events of that type. PANOS 4.0 21 20. (OPTIONAL) If you want to further restrict this account from being able to clear the security log, refer to Microsoft KB 323076. PANOS 4.0 22 Part 4: Configuring the PAN Agent Service to Use the New Account 21. At this point, you can login to the server that is running the PAN PanAgent, and configure the PanAgent service to use the newly-created account. 22. Restart the service so that it will use the new account. 23. Confirm that you can view the troubleshooting log by starting the PanAgent GUI, and going to File -> Show Logs. If the log file does not exist, make sure you completed the steps in part 2 of this appendix. PANOS 4.0 23