Skip to main content

WHY SHOUD YOU USE USER-ID FIREWALL RULES?

 


HOW MANY TIMES HAVE YOU THOUGHT OF…

  1.  Is there a way to track what my users are connecting to?
  2.  Is there a way to track what applications my users are using and the amount of bytes being transmitted based on each application? 
  3. Is there a way to allow / block users to access specific zones / segments of my network based on their user id?
  4.  Is there a way to not have to allow access using their windows user ID instead of IP whitelisting IP addresses?
  5.  Is there a way to easily create usage reports per access group or user-id?
Palo Alto Networks has made your wish come true. If you have been a Network Engineer for as long as I have, you will find that Palo Alto Firewalls takes away all those cumbersome and time consuming tasks. Palo Alto’s Next Generation features give you a lot of control and make your life easier. Now if you combine the use of Panorama to manage your firewalls, you will make your life a whole lot easier and you will be able to perform more complicated tasks.

User-ID is one of my favorite features from Palo Alto Firewalls. These are some of the main functions you can use it for:

Visibility—Improved visibility into application usage based on users gives you a more relevant picture of network activity. The power of User‐ID becomes evident when you notice a strange or unfamiliar application on your network. Using either ACC or the log viewer, your security team can discern what the application is, who the user is, the bandwidth and session consumption, along with the source and destination of the application traffic, as well as any associated threats.

Policy control—Tying user information to Security policy rules improves safe enablement of applications traversing the network and ensures that only those users who have a business need for an application have access. For example, some applications, such as SaaS applications that enable access to Human Resources services (such as Workday or Service Now) must be available to any known user on your network. 

However, for more sensitive applications you can reduce your attack surface by ensuring that only users who need these applications can access them. For example, while IT support personnel may legitimately need access to remote desktop applications, the majority of your users do not.

Logging, reporting, forensics—If a security incident occurs, forensics analysis and reporting based on user information rather than just IP addresses provides a more complete picture of the incident. For example, you can use the pre‐defined User/Group Activity to see a summary of the web activity of individual users or user groups, or the SaaS Application Usage report to see which users are transferring the most data over unsanctioned SaaS applications.

REQUIREMENTS
To successfully utilize  User-ID based access you must configure the following:

User Mapping: You can utilize the local users from the firewall, the caveat to that is that local users will give you limited access features, unlike the use of windows directory or LDAP servers. You need to map your users from your LDAP server (Windows AD / Cloud LDAP / OpenLDAP). You also have to create an authentication profile. I will show you how to do this in another article.

Group Mapping: You also have to map the groups from your LDAP server (Windows AD / Cloud LDAP / OpenLDAP). In order to map this you will need to create and LDAP profile.

Security Zones: You need to enable the use-id option on each zone that you want to use this feature on.

Consider Donating to allow me to make more useful videos for you  and keep this space (your space) ad free. When you donate I will provide a discount code in my training store. Go to the discount page here.

 
  1. Go to the Training store for mode in-depth training 
  2. Go to the Training Index to checkout all the courses we have available 
Disclaimer: The information posted here is informational only. Ricardo Gutierrez won’t be held liable for any mishaps, failures or any other negative outcome. It is the reader’s responsibility to make their own decisions and act on them.

Labels:

Comments

Post a Comment

Popular posts from this blog

How to Connect to AWS in a Quick & Inexpensive way Part 2:

  Architecture Benefits 1.       End to End Dynamic Routing. a.       BGP . b.       ECMP. 2.       Highly Available. a.       Dual Firewalls. b.       Dual IPSec Tunnels. 3.       Scalable. a.       IPSec Tunnels. b.       AWS Firewalls. 4.       Secure. a.       End to End Encrypted Traffic  to AWS (IPSec). b.       Encrypted Apps (https, SSH, FTPS, etc). 5.       Throughput: 2x 5.6Gbps. Traffic Flow 1.       On-Prem network. 2.       IPSEC ECMP (Load Balancing) To FWs 3.       GRE Tunnels. 4.       TGW Peer Attachment 5.       VPC (Servers or Endpoints) Consider Donating   to allow me to make more useful videos for you  . When you donate I will provide a discount code in my   training store . Go to the discount page here.   Go to the  Training store  for mode in-depth training  Go to the  Training Index  to checkout all the courses we have available  Disclaimer : The information posted here is informational only. Ricardo Gutierrez won’t be held liable for any mishaps, failures or an
Post a Comment
Read more

HOW TO BLOCK NAT SLIPSTREAMING ON PALO ALTO FIREWALLS

  Update: 02/10/2021 If you are using threat DB version 8373-6537, the default action now is reset-server. The main objective of Cybersecurity professionals, is to reduce the attack surface, on network connected devices (computers, IoT, hvac, smart UPSs, smart power strips, etc.). Cybersecurity professionals often assume that devices that have no internet connectivity will never be compromised by a hacker. The NAT slipstreaming cyberattack proves this wrong. “ NAT Slipstreaming allows an attacker to remotely access ANY TCP/UDP service bound to ANY system behind a victim’s NAT, bypassing the victim’s NAT/firewall (remote arbitrary firewall pinhole control),  all it takes is the victim’s computer to visit the attacker’s website”. Once the victim’s computer visits the website, the attacker’s servers start to scan your network to identify the network connected devices. If your devices have not been patched to mitigate vulnerabilities, the attackers will exploit these to take control over
Post a Comment
Read more

EASIEST WAY TO BUILD SECURITY GROUP RULES AND ROUTE ENTRIES IN AWS

  Adding IP prefixes to security group rules and route entries can be a time consuming and error prone task, especially when you have to build them on multiple VPCs. The fastest and most accurate method to reuse IP prefixes in your Security groups and route table entries is to use “Managed Prefix List“. This will save you time to build your security group rules and your route table entries. When you build several security group, you have to specify the IP prefixes on EVERY Security group rule . If you have a rule with 10 or more IP prefixes you need to add them manually; it becomes a time consuming and error prone task. Even if you automate this process (eg. Terraform, CloudFormation) you still have to build your code for each security group for every VPC. Another advantage is when you use the “managed prefix list” When you build Route tables you need to specify IP prefixes. You may have multiple IP prefixes, this can also be a time consuming and error prone task.  You will have to add
Post a Comment
Read more