User Identification is one of the most frequently asked for and effective features that can be used to control network traffic and provide a wealth of audit and forensic data. Having the ability to dynamically map users to network addresses in real-time can be a very powerful and versatile tool. This is especially true with the widespread use of DHCP and the ever-growing number of network-enabled devices. Palo Alto Networks firewalls offer User-ID features to dynamically map user identities with IP Addresses and provide user directory Group context.
There are numerous different ways the Palo Alto Networks firewall can gather username to IP mappings to determine which user is using which computer. The “syslog listener” is the newest method and it shifts from being a “pull” technique where the user-id agent actively goes out to retrieve the data from the sources to a “push” method where the sources send the data to the user-id agent automatically. This lab exercise will explore use cases and how to configure the user-id agent to leverage this new method for collecting user to ip address mappings.