Lab8 User ID Via Syslog Listener V2

Sun Mgt Bonus Lab 8: User-ID via Syslog Listener on Palo Alto Networks 1
Firewalls
For access to live Palo Alto Networks lab boxes, go to: https://www.paloaltonetworks.com/services/education/cybersecurity-skills-practice-lab
Overview
User Identification is one of the most frequently asked for and effective features that can be
used to control network traffic and provide a wealth of audit and forensic data. Having the
ability to dynamically map users to network addresses in real-time can be a very powerful and
versatile tool. This is especially true with the widespread use of DHCP and the ever-growing
number of network-enabled devices. Palo Alto Networks firewalls offer User-ID features to
dynamically map user identities with IP Addresses and provide user directory Group context.
With the Palo Alto Networks Operating System (PAN-OS), firewalls can:
1. Map users to directory server Groups (eg. Microsoft Active Directory, Novell
eDirectory, Sun ONE Directory Server)
2. Dynamically map users to Source IP Addresses using Server Monitoring, Port
Mapping Agents, GlobalProtect, Captive Portal, Client Probing (WMI), and X-
Forwarded-For (XFF) header information used in web traffic communication.
These features all require integration with one of the supported user directories in order to
function properly. However, there are certain scenarios in which user identification using
unsupported user directories or databases is desired.
Objective
In this lab, we will learn how to implement User-ID using the Palo Alto Networks Syslog Listener
feature. The Syslog Listener feature allows external network devices to send login and logout
events as syslog messages to the Palo Alto Networks firewall or User-ID Agent software for use
in dynamically mapping users to source IP Addresses. This can be very useful in cases where
supported directory integration (AD, eDirectory, etc…) is not possible or practical.
TIP – The Syslog Listener feature can be used in conjunction with supported directory
integration to augment the control and visibility of network traffic.
Firewalls
Tools
Accomplishing your objective will require the following:
ü A network device or server with the ability to capture user identities (login/logout
events) and associated IP Addresses, and forward each event via the Syslog protocol to a
Palo Alto Networks Firewall or User-ID software (This lab will use a CentOS Linux version
7 server with rsyslog installed).
ü A client device with the ability to use the SSH protocol to log in and out of the server
listed above (This lab uses a Windows 10 workstation with the puTTY application)
Target Devices
One or more of the following devices may be used as a Syslog Listener for User-ID:
ü Palo Alto Networks hardware or virtual Firewall (This lab uses PANOS version 8.0.8)
ü Palo Alto Networks User-ID Agent software installed on a Domain server (This lab uses
version 8.0.8-2 installed on a Windows Server 2012-R2 machine)
Lab Setup
Our lab setup consists of a Palo Alto firewall running PANOS 8.0.8 and configured with a
dedicated management interface; a Windows server with the Palo Alto User-ID Agent software
installed; an external Linux server recording user login/logout events and generating syslog
messages; and a Windows client endpoint device used to log in to the Linux server to generate
User-ID syslog events. It is assumed that the Palo Alto firewall is already deployed on the
network and the initial setup has been accomplished. It also assumed that the User-ID Agent
software is already installed on a Windows server and connected to the firewall. See the
“Resources” section below for more information on initial deployment of Palo Alto products.
Firewalls
Firewalls
Lab Configuration Steps
1. Configure the Firewall Management Interface as a Syslog Listener
a. Purpose
The firewall management interface needs to be configured as a Syslog Listener
using the UDP and/or TCP (SSL/TLS) protocol to receive and parse syslog events
from external systems. For the purposes of this lab we will be using the SSL/TLS
protocol over TCP for syslog communication as per Palo Alto Networks Best
Practices. Syslog over SSL/TLS is more reliable and secure than Syslog over UDP.
b. Location
Syslog Listener options are configured in the Device tab under Setup in the left
menu and the Interfaces sub tab.
c. Enabling the Syslog Listener Option on the Management Interface

i. Click the Interface Name Management to edit the Management Interface.
Firewalls
ii. Check the User-ID Syslog Listener-SSL checkbox

iii. Click OK to save the setting
TIP – The listening ports for receiving syslog events by the firewall are udp/514 and tcp/6514
for SSL/TLS. There is currently no way to change these port numbers.
2. Add the Syslog Senders as User-ID Monitored Servers
a. Purpose
To enable the User-ID feature to listen for syslog traffic from external senders
you will need to add the external syslog sending server’s IP Addresses to the list
of monitored servers in the Palo Alto Firewall User-ID configuration. This creates
a “whitelist” of monitored syslog sender addresses. Syslog traffic destined for
the firewall management interface (or dataplane interface enabled as a syslog
listener) will be dropped if it doesn’t match one of the sources in this list.
b. Location
Syslog sender addresses are configured in the Device tab under User
Identification in the left menu and the Server Monitoring section of the User
Mapping sub tab.
Firewalls
c. Adding a Syslog Sender

i. Click the Add button to add a new syslog sender.
ii. Enter a name for the syslog sender.

iii. Make sure the Enabled box is checked.
Firewalls
iv. Choose the Type Syslog Sender.

v. Enter the Network Address (or FQDN) of the syslog sender.
vi. Choose the Connection Type (For the purposes of this lab we are using SSL to
ensure syslog is sent securely over TLS).
vii. Under Filter click Add and select the correct Parse Profile and Event Type. In
this section of the lab we are using SSH Authentication with the login event.
TIP – PANOS comes with several predefined Syslog Parse profiles. When new profiles are
added, the profile definitions can be updated by downloading and installing the latest content
database. Custom profiles can be created using RegEx and/or Field Identifiers. Please refer to
the “Resources” section at the end of the lab for more information on configuring User-ID.
viii. (Optional) Enter a Default Domain Name if the syslog messages don’t contain
domain information (This will map any users associated with the syslog
messages received from this syslog listener with the Domain specified here).
ix. Click Commit to commit your candidate configuration to running.
TIP – Configuring a Default Domain will allow this domain information for each associated
user to show up in the logs and reports produced by the firewall. In addition, policy rules can be
created to control traffic based on users and user groups. Providing a domain for users can be
useful when adding user groups as match criteria to these rules.
3. Forward Syslog Events from External Systems
a. Purpose
The external server must be configured to forward syslog events to the Palo Alto
syslog listener to capture login and logout events that map users to IP Addresses.
In our lab we will be using a Linux server with remote SSH capabilities. When
users log in to the Linux server via SSH, syslog messages will be generated and
sent to the Palo Alto syslog listeners.
b. Location
In our lab build of CentOS Linux the default rsyslog daemon is used to record log
messages and forward syslog events to an external syslog location via TLS. This is
done by installing the rsyslog-gnutls package and associated dependencies, then
configuring the /etc/rsyslog.conf file to forward SSH login events recorded in the
/var/log/secure file to the Palo Alto firewall via the syslog protocol. (Refer to the
documentation associated with your version of Linux to complete this section)
c. Verify the Log Format

i. From the client device on the network, log in to the Linux Server via SSH.
Firewalls
ii. Check the /var/log/secure file to make sure logs are recorded upon
successful SSH logins. Logs should contain a username and IP Address in a
single recorded event.
[admin@centos ~]$ sudo tail /var/log/secure

Mar 22 09:46:13 centos sshd[44306]: Accepted password for testuser from 192.168.55.128 port
54498 ssh2
Mar 22 09:46:14 centos sshd[44306]: pam_unix(sshd:session): session opened for user admin
by (uid=0)
d. Installing the rsyslog-gnutls Packages and Dependencies

i. Use yum to fetch and install the rsyslog-gnutls package and dependencies.
[admin@centos ~]$ sudo yum install rsyslog-gnutls
e. Configuring rsyslog to use TLS to Send Syslog Events

i. Load the Root CA certificate onto the Linux server and change permissions
(See the TIP below for more information on certificates).
[admin@centos ~]$ sudo scp [username]@[host]:/[path_to_root_cert_file] /etc/ssl/certs/.

[admin@centos ~]$ sudo chmod 777 /etc/ssl/certs/[root_cert_file]
Firewalls
ii. Edit the /etc/rsyslog.conf file.
[admin@centos ~]$ sudo vi /etc/rsyslog.conf
iii. Append the following to the rsyslog.conf file:
# Monitor log file /var/log/secure and collect as informational logs with facility local4
$ModLoad imfile
$InputFileName /var/log/secure
$InputFileTag ssh-secure
$InputFileStateFile ssh-secure
$InputFileSeverity info
$InputFileFacility local4
$InputRunFileMonitor
# Configure gtls driver, certificate trust, and authentication

$DefaultNetstreamDriverCAFile /etc/ssl/certs/root.pem # Root CA of server cert chain
$DefaultNetstreamDriver gtls # Use the gtls netstream driver
$ActionSendStreamDriverMode 1 # Require TLS for the connection
$ActionSendStreamDriverAuthMode x509/certvalid # Certificate validation only
# Send each log message collected with facility local4 to the specified IP Address and port
local4.* @@192.168.55.10:6514 # Send all local4 events to Palo Alto firewall on port 6514
TIP – Using the above $ActionSendStreamDriverAuthMode with value x509/certvalid will

validate the server certificate sent by the Palo Alto firewall during the initial TLS negotiation by
checking that it belongs to the trust chain of the Root CA certificate loaded earlier. Set this
value to anon to ignore validation and accept any certificate. By default, the Palo Alto firewall
uses a pre-loaded device certificate for TLS communication via syslog listener. This certificate is
only accessible through packet capture of live TLS communication and, currently, there is no
method to specify a different certificate for this communication. Running a packet capture on
the TLS traffic produced by the syslog listener feature will allow you to use an application like
Wireshark to extract the Root CA certificate at the top of the trust chain that the device
certificate is part of. See the screenshots below for examples of the certificates used for TLS
syslog listener traffic.
Firewalls
Root CA Certificate Intermediate CA Certificate Device Certificate
iv. Restart the rsyslog service.
[admin@centos ~]$ sudo systemctl restart rsyslog
4. Test User-ID Mapping via Syslog Listener
a. Purpose
The initial configuration is done, and the firewall is now configured to receive
User-ID mapping events via syslog. Let’s test to see if things are working as
expected.
b. Generating User-ID Events

i. From the client device on the network, log in to the Linux Server via SSH.
ii. Check the /var/log/secure log to ensure the login event was recorded locally.
[testuser@centos ~]$ sudo tail /var/log/secure

54680 ssh2
Mar 23 09:20:28 centos sshd[54652]: pam_unix(sshd:session): session opened for user testuser
by (uid=0)
Firewalls
c. Verifying User-ID Database Mapping

i. Log in to the CLI of the Palo Alto firewall and run the command below from
Operational mode.
admin@PAN-FW> show user server-monitor state all
UDP Syslog Listener Service is disabled

SSL Syslog Listener Service is enabled
Proxy: Linux_Server(vsys: vsys1) Host: Linux_Server(192.168.55.141)

number of log messages : 208
number of auth. success messages : 19
number of active connections : 1
total connections made : 33
ii. Verify that the number of active connections is greater than 0.

iii. Run the following command to show the recorded user/IP Address mappings
in the User-ID database of the firewall.
admin@PAN-FW> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------
192.168.55.128 vsys1 SYSLOG mynet\testuser Never Never
Total: 1 users
iv. Verify the user is being mapped to the client device IP Address and the
correct domain is displayed (if configured).
TIP – The SSH Authentication events send the username along with the IP Address of the
Client device to the firewall via Syslog. The firewall will then use this information to record the
mapping in the User-ID database. Please note, however, that the user will be mapped to the
Client IP Address, and not to the Server IP Address.
Now that you have the User-ID via Syslog Listener feature working with the Palo Alto firewall
you can move on to the next part if the lab where the Palo Alto User-ID Agent is set up to
listen for Syslog events and provide User-ID functionality.
Firewalls
5. Create a Syslog Filter Profile
a. Purpose
The Palo Alto User-ID Agent software does not currently have any pre-loaded
syslog parsing filters. Because of this, you must create each filter profile before
using the syslog listener feature. Filters can be created using RegEx or Field
Identifiers. For the purposes of this lab we will be using Field Identifiers. Please
refer to the “Resources” section at the end of the lab for links to more
information about configuring User-ID.
b. Location
Syslog Filter Profiles are configured under the User Identification menu and the
Setup sub menu in the main GUI window of the User-ID Agent application.
TIP – When opening the User-ID Agent application it is recommended that you right-click the
application icon and choose the Run as administrator option.
Firewalls
c. Enabling the Syslog Service and Creating the Filter Profile

i. Click the Edit button under Setup and select the Syslog tab.
ii. Enter the Syslog Service Port to receive syslog events.

iii. Check the Enable Syslog Service checkbox.
iv. Click the Add button to add a syslog filter.
v. Enter a Profile Name. In this lab we used the name “SSH Authentication”.
vi. Choose the type Field.
Firewalls
vii. Enter and Event String. The event string is a unique identifier in the syslog
message that instructs the User-ID Agent to parse that event. We are using
the event string “Accepted password” for this lab. This comes directly from
the text of the log messages.

54680 ssh2
Mar 23 09:20:28 centos sshd[54652]: pam_unix(sshd:session): session opened for user
testuser by (uid=0)
viii. Enter a Username Prefix. The username prefix identifies the beginning of the
username field. In this case the syntax immediately before the username is
“for “. (Notice the trailing space. This MUST be included in the field).
ix. Enter a Username Delimiter. The username delimiter identifies the end of
the username field. Here you must use “\s” to indicate a space.
x. Enter an Address Prefix. The address prefix identifies the beginning of the
address field. In this case the syntax immediately before the IP address is
“from “. (Notice the trailing space. This MUST be included in the field).
xi. Enter an Address Delimiter. The address delimiter identifies the end of the
address field. Here you must use “\s” to indicate a space.
xii. Click OK to save the filter.
Firewalls
6. Configure the Palo Alto User-ID Agent Software as a Syslog Listener
a. Purpose
The Palo Alto User-ID Agent software needs to be configured as a Syslog Listener
using the UDP and/or TCP protocol to receive and parse syslog events from
external systems. For the purposes of this lab we will be using the TCP protocol
for syslog communication.
TIP – The User-ID Agent software does not currently support SSL/TLS communication for
syslog messages. We are using the TCP protocol for the purposes of this lab. Although syslog
over TCP is not encrypted, the TCP protocol provides more reliability than UDP.
b. Location
Syslog Senders are configured under the User Identification menu and the
Discovery sub menu in the main GUI window of the User-ID Agent application.
Firewalls
c. Adding a Syslog Sender

i. Click the Add button to add a Syslog Sending server.
ii. Enter a Name for the server.

iii. Enter the Network Address (or FQDN) of the syslog sender.
iv. Choose the Type Syslog Sender.
v. (Optional) Enter a Default Domain Name if the syslog messages don’t contain
domain information (This will map any users associated with the syslog
messages received from this syslog listener with the Domain specified here).
vi. Under Filter click Add and select the correct Parse Profile and Event Type. In
this section of the lab we are using SSH Authentication filter we created
earlier with the login event.
vii. Click OK to create the syslog sender.
viii. Click the Commit button on the main window of the User-ID Agent to commit
the changes.
Firewalls
7. Forward Syslog Events from External Systems to the User-ID Agent
a. Purpose
The external server must be configured to forward syslog events to the Palo Alto
User-ID Agent to capture login and logout events that map users to IP Addresses.
b. Configuring rsyslog to Send Syslog Events

i. Log in to the Linux server and edit the /etc/rsyslog.conf file.
[admin@centos ~]$ sudo vi /etc/rsyslog.conf
ii. Comment out the gtls section and change the destination IP Address to that
of the User-ID Agent server. TLS will not be used in this part of the lab since
the User-ID Agent does not support it.
# Monitor log file /var/log/secure and collect as informational logs with facility local4
$ModLoad imfile
$InputFileName /var/log/secure
$InputFileTag ssh-secure
$InputFileStateFile ssh-secure
$InputFileSeverity info
$InputFileFacility local4
$InputRunFileMonitor
# Configure gtls driver, certificate trust, and authentication

# $DefaultNetstreamDriverCAFile /etc/ssl/certs/root.pem # Root CA of server cert chain
# $DefaultNetstreamDriver gtls # Use the gtls netstream driver
# $ActionSendStreamDriverMode 1 # Require TLS for the connection
# $ActionSendStreamDriverAuthMode x509/certvalid # Certificate validation only
# Send each log message collected with facility local4 to the specified IP Address and port
local4.* @@192.168.55.50:6514 # Send all local4 events to User-ID Agent on port 6514
iii. Restart the rsyslog service.
[admin@centos ~]$ sudo systemctl restart rsyslog

Firewalls
8. Test User-ID Mapping via Syslog Listener on the User-ID Agent
a. Purpose
The initial configuration is done, and the User-ID Agent is now configured to
receive User-ID mapping events via syslog. Let’s test to see if things are working
as expected.
b. Generating User-ID Events

i. From one of the client devices on the network, log in to the Linux Server via
SSH.
ii. Check the /var/log/secure log to ensure the login event was recorded locally.

54966 ssh2
Mar 23 13:56:54 centos sshd[55665]: pam_unix(sshd:session): session opened for user testuser
by (uid=0)
c. Verifying User-ID Database Mapping

i. From the GUI of the User-ID Agent go to the User Identification menu and
verify that the Syslog sending server is listed under Connected Servers with a
status of Connected.
Firewalls
ii. Go to the Monitoring menu and verify that the user is mapped to the client
device IP Address under Discovered Users.
TIP – For troubleshooting purposes, you can use the Logs menu under Monitoring. For more
detailed logs click the top File menu and change the Debug context to Debug or Verbose. The
full log can be accessed on the filesystem of the User-ID Agent server in the UaDebug.log file
located in the Installation directory for the User-ID Agent. This is typically at the path
C:\Program Files (x86)\Palo Alto Networks\User-ID Agent.
d. Verifying User-ID Database Update on the Firewall

i. From the CLI of the firewall, run the following command and verify the
correct user to IP Address mappings. Make sure the entries are coming from
the User-ID Agent (UIA).
admin@PAN-FW> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s)

MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- ------------
-
192.168.55.128 vsys1 UIA mynet\testuser 357712 357712
Total: 1 users
Now that you have the User-ID via Syslog Listener feature working in the lab you can begin to
use this functionality for logging, reporting, and controlling network traffic. Nice Work!
Firewalls
Next Steps
If you want to test this on your own and do not have access to a lab environment to do so, you
have a couple options:
a. Contact your Sun Management Account Rep to get pricing on a lab bundle. The
PA-220 and VM-50 appliances are excellent platforms for testing things such as
this and there are specific part numbers for lab equipment that are more heavily
discounted than the same appliance for use in production.
If you are unsure who your Account Rep is or do not have one yet, you can reach
out to sales@sunmanagement.net for assistance.
b. Reach out through the free Fuel Users Group (www.fuelusersgroup.org) which at
the time this lab is being written is offering limited free access to a virtual lab
environment, which they refer to as their “Virtual Test Lab,” in which you can
practice the steps outlined above. (Note: The Fuel Users Group may alter or
discontinue offering their “Virtual Test Lab” at any time)
c. For access to live Palo Alto Networks boxes for lab practice purposes
please go to:
https://www.paloaltonetworks.com/services/education/cybersecurity-
skills-practice-lab. This is a no charge service provided by Palo Alto
Networks.
If you feel Sun Management brings value to you and your organization with these
labs, please keep us in mind for other network and network security related
requirements. We are here to help you. Thank you for your business.
Please direct any questions/comments/feedback on this lab exercise to:

education@sunmanagement.net
Lab Author: Mike Bermudez, Sr. Network Security Engineer, PCNSC, PCNSE, PSE-P
Firewalls
Last Modified: Apr 4, 2018

Firewalls
Resources
Palo Alto User-ID on PANOS 8.0:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id
Syslog Listener for Firewall Integrated User-ID Agent:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-
addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping/configure-
the-pan-os-integrated-user-id-agent-as-a-syslog-listener#id91eb3abd-43c1-4969-8a5f-
df032685e277
Configuring rsyslog over TLS:

http://www.rsyslog.com/doc/tls_cert_udp_relay.html
Syslog Listener for Windows User-ID Agent:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-
addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping/configure-
the-windows-user-id-agent-as-a-syslog-listener#id1a30ca36-5f6b-44df-bd5d-182e5803d55b

Lab8 User ID Via Syslog Listener V2

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Lab8 User ID Via Syslog Listener V2

Încărcat de

Drepturi de autor:

Formate disponibile

Sun Mgt Bonus Lab 8: User-ID via Syslog Listener on Palo Alto Networks 1

Lab Configuration Steps

1. Configure the Firewall Management Interface as a Syslog Listener

c. Enabling the Syslog Listener Option on the Management Interface

ii. Check the User-ID Syslog Listener-SSL checkbox

2. Add the Syslog Senders as User-ID Monitored Servers

c. Adding a Syslog Sender

ii. Enter a name for the syslog sender.

iv. Choose the Type Syslog Sender.

c. Verify the Log Format

[admin@centos ~]$ sudo tail /var/log/secure

d. Installing the rsyslog-gnutls Packages and Dependencies

[admin@centos ~]$ sudo yum install rsyslog-gnutls

e. Configuring rsyslog to use TLS to Send Syslog Events

[admin@centos ~]$ sudo scp [username]@[host]:/[path_to_root_cert_file] /etc/ssl/certs/.

ii. Edit the /etc/rsyslog.conf file.

[admin@centos ~]$ sudo vi /etc/rsyslog.conf

iii. Append the following to the rsyslog.conf file:

# Configure gtls driver, certificate trust, and authentication

TIP – Using the above $ActionSendStreamDriverAuthMode with value x509/certvalid will

Root CA Certificate Intermediate CA Certificate Device Certificate

iv. Restart the rsyslog service.

[admin@centos ~]$ sudo systemctl restart rsyslog

4. Test User-ID Mapping via Syslog Listener

b. Generating User-ID Events

[testuser@centos ~]$ sudo tail /var/log/secure

c. Verifying User-ID Database Mapping

admin@PAN-FW> show user server-monitor state all

UDP Syslog Listener Service is disabled

Proxy: Linux_Server(vsys: vsys1) Host: Linux_Server(192.168.55.141)

ii. Verify that the number of active connections is greater than 0.

admin@PAN-FW> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)

5. Create a Syslog Filter Profile

c. Enabling the Syslog Service and Creating the Filter Profile

ii. Enter the Syslog Service Port to receive syslog events.

[testuser@centos ~]$ sudo tail /var/log/secure

6. Configure the Palo Alto User-ID Agent Software as a Syslog Listener

c. Adding a Syslog Sender

ii. Enter a Name for the server.

7. Forward Syslog Events from External Systems to the User-ID Agent

b. Configuring rsyslog to Send Syslog Events

[admin@centos ~]$ sudo vi /etc/rsyslog.conf

# Configure gtls driver, certificate trust, and authentication

iii. Restart the rsyslog service.

[admin@centos ~]$ sudo systemctl restart rsyslog

8. Test User-ID Mapping via Syslog Listener on the User-ID Agent

b. Generating User-ID Events

[testuser@centos ~]$ sudo tail /var/log/secure

c. Verifying User-ID Database Mapping

d. Verifying User-ID Database Update on the Firewall

admin@PAN-FW> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s)

Please direct any questions/comments/feedback on this lab exercise to:

Last Modified: Apr 4, 2018

Syslog Listener for Firewall Integrated User-ID Agent:

Configuring rsyslog over TLS:

Syslog Listener for Windows User-ID Agent:

S-ar putea să vă placă și