The Packet Blog

Start by configuring DNS on the Palo to point to the AD servers or applicable DNS Proxy Object:

Go to Device -> Management -> Setup -> Services

• If DNS Proxy is configured, verify that the domain is setup AND subdomain has a wildcard entry as shown below.

• Under User Identification, User-ID Agent Setup, configure the domain DNS name, and then create a Kerberos Server Profile that contains the FQDN of each server, on port 88.

• Create a LDAP server profile for each server, containing the name, LDAP server IP, port 389, and the correlating username Server settings for the panuserid account. Here, you can go ahead and create a new panuserid account password as well since we most likely don’t know the previous one used.

• Create an entry under User Identification > Server Monitoring, and add both servers for Active Directory, and enter the FQDN of each server under “Network Address”. The FQDN is required since we are using WinRM-HTTP as the transport protocol.

• On the servers, create/find the PanUserID account, and modify the following settings for the account.
  • Add as a member of the following groups
    • Event Log Readers
    • Distributed Com Users
    • Server Operators Group
    • Remote Management Users
    • WinRMRemoteWMIUsers__
      • Run this command in an Administrator command prompt to create and add the PanUserID account to this group.
        • net localgroup WinRMRemoteWMIUsers__ /add <domain>\<username>
  • Additionally, you will need to add the PanUserID account to read the CIMV2 namespace and all subnamespaces in wmimgmt.msc. (THIS WILL NEED TO BE DONE ON EACH Domain Controller you wish to monitor.)

• Commit and verify the connection to the servers is functional under the User Identification Server Monitoring tab, and test using the following command to verify IPs are being mapped to users
  • show user ip-user-mapping all
  • show user group-mapping statistics
  • show user group-mapping state
    • Additional troubleshooting commands
      • Debug user-id reset group-mapping all
      • Debug software restart process user-id
      • Less mp-log useridd.log

References:

• https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent
• https://live.paloaltonetworks.com/t5/general-topics/humps-and-bumps-with-the-palo-alto-firewall-integrated-user-id/td-p/511947
• https://learn.microsoft.com/en-us/windows/win32/winrm/authentication-for-remote-connections