Fortinet black logo

Administration Guide

Add or modify the Palo Alto User-ID agent as a pingable

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:583617
Download PDF

Add or modify the Palo Alto User-ID agent as a pingable

When the Palo Alto Networks User-ID agent is configured in FortiNAC as a pingable device, FortiNAC sends a message to Palo Alto Networks firewall each time a host connects to the network or the host IP address changes, such as when a host is moved from the Registration VLAN to a Production VLAN. A message is also sent when one user logs off a host and a new user logs on to that same host while the host is still on-line. All messages include user ID and IP address. This information identifies the user to Palo Alto Networks allowing it to apply user specific policies. There are several scenarios that generate messages to Palo Alto Networks, as described below and in the flow diagram:

A host is registered to a specific user; the owner logs onto the network with the host. FortiNAC sends user ID and IP address.

A host has no associated owner and is registered as a device; a user logs onto the network with this host. If this yields a logged on user, FortiNAC sends user ID and IP address.

If a host is registered to a specific user, when a different user logs onto the host, that new user's user ID is sent to Palo Alto Networks with the host IP address.

When a user who is not registered as the host's owner logs out of the host, the user ID of the host's owner is sent to Palo Alto Networks with the host IP address, even though the owner did not actually log onto the network.

When a user logs out of a host that has no owner, FortiNAC notifies Palo Alto Networks that the user has logged out.

Note

If a user is logged in remotely, such as through Remote Desktop, and there is no Persistent Agent installed on the host, login and logout information are not provided to Palo Alto Networks.

Implementation

To integrate with the Palo Alto Networks User-ID agent you should be aware of and configure the following items:

Palo Alto Networks
  • Palo Alto Networks firewall must be Version 4.0 or higher.
  • Palo Alto Networks User-ID agent must be Version 4.0 or higher.
  • For Palo Alto Windows User-ID agent versions prior to 7.0.4, the XML API must be enabled to allow communication with FortiNAC. In the Windows User-ID agent under User Identification > Setup make sure Enable User-ID XML API is set to Yes. This option is configured on the Agent Setup dialog under the Agent Service tab.
Note

FortiNAC cannot integrate with Windows User-ID Agent versions 7.0.4 and higher because the Enable User-ID XML API option is not available.

FortiNAC
  • To configure the integration of FortiNAC with the Windows User-ID Agent for Agent Versions prior to 7.0.4, do not select the Use Integrated Agent check box. Specify the XML API Port value to match the port you have configured the Windows User-ID agent to use. The agent uses port 5007 by default.
  • FortiNAC cannot integrate with the Windows User-ID Agent Version 7.0.4 or later. If you cannot use an earlier version of the agent, you can instead configure FortiNAC to integrate with the firewall directly.
  • If you are not using the Windows User-ID Agent and your firewall is version 6.0 or later, you must configure FortiNAC to integrate directly with the firewall. Select the Use Integrated Agent check box and enter port 443 in the XML API Port field. Enter the API Key value. The key can be retrieved manually or by selecting Retrieve.

    Note

    Direct integration of FortiNAC with versions of the firewall prior to 6.0 is not supported.

  • Hosts that will be affected by or managed by the Palo Alto Networks User-ID agent must have a logged-on User. If no user is associated with the host, only the IP address is sent to the Palo Alto Networks User Agent. The User Agent cannot apply a policy without a user ID. Registration methods such as the Persistent Agent, device profiler, or login scripts can be set to register hosts as devices, but then it is the user's login/logout that triggers that messages be sent from FortiNAC to Palo Alto.
  • Add the Palo Alto Networks User Agent as a pingable device in FortiNAC. See the instructions below for the steps.
  • FortiNAC and the Palo Alto Networks User Agent communicate via SSL. SSL certificates on the Palo Alto Networks User Agent Server are automatically imported into the .keystore file on your FortiNAC Control Server or Server.
  • In Event Management, the event Communication Lost With Palo Alto User Agent is automatically enabled. This event is generated when the Palo Alto Networks User Agent cannot be reached. The Palo Alto Networks User Agent is not being notified when hosts connect to the network, therefore, policies may not be applied. See Enable and disable events to disable the event if necessary.
  • In Event to Alarm Mappings, you can map the Communication Lost With Palo Alto User Agent event to an alarm if you wish to be notified when FortiNAC and the Palo Alto Networks User Agent are no longer communicating. See Add or modify alarm mapping.
Add pingable
  1. Click Network Devices > Topology.
  2. Select the Container icon.
  3. Right-click the container and select Add Pingable Device.
  4. Use the table below to enter the data for the Palo Alto Networks User-ID agent.
  5. Click OK to save.
Settings

Field

Definition

Element tab

Container

Container in the Topology where this device is stored.

Name

Name of the device

IP address

IP address of the device

Physical Address

The MAC address of the device.

Appears in the view only when the device is a pingable.

Device Type

Lists all available device types. Select Firewall or Server.

Incoming Events

Lists the security appliances available when either Syslog or Security Events is selected. Select Not Applicable.

SSO Agent

The third party agent communicating with the same authenication credentials as FortiNAC, utilizing the ability to unify credentials across multiple products (e.g., Single Sign-On).

XML API Port

Displayed when Palo Alto User Agent is selected in the SSO Agent field. Port on the Palo Alto User Agent configured to receive messages from external devices. This port must match the XML API port configured on the Palo Alto User Agent. See Add or modify the Palo Alto User-ID agent as a pingable.

Domain Name

Displayed when Palo Alto User Agent is selected in the SSO Agent field. FQDN for your network users' domain. This is sent with the logged in user ID to Palo Alto.

Use Integrated Agent

Allows you to integrate directly with the firewall when FortiNACdoes not integrate with the Windows User-ID Agent.

API Key

The authorization key that allows a user to send user mapping data to the firewall. Can be retrieved from the firewall manually, or by providing the credentials for an administrator account on the firewall when you select Retrieve.

Apply to Group

Select this check box to apply the Palo Alto SSO options only to the selected Host group in the drop-down list. If you do not select the check box, the SSO options are applied to all Host groups.

Role

The Role for this device. Available roles appear in the drop-down list.

Description

Description of the device entered by the Administrator.

Note

User specified notes about the device.

Contact Status Polling

Enable or disable contact status polling for the selected device.

Poll Interval

Determines how often the device should be polled for communication status. Time is stored in minutes.

Poll Now

Polls the device immediately for contact status.

Last Successful Poll

Date and time that the device was last polled successfully.

Last Attempted Poll

Date and time that the device was last polled.

Add or modify the Palo Alto User-ID agent as a pingable

When the Palo Alto Networks User-ID agent is configured in FortiNAC as a pingable device, FortiNAC sends a message to Palo Alto Networks firewall each time a host connects to the network or the host IP address changes, such as when a host is moved from the Registration VLAN to a Production VLAN. A message is also sent when one user logs off a host and a new user logs on to that same host while the host is still on-line. All messages include user ID and IP address. This information identifies the user to Palo Alto Networks allowing it to apply user specific policies. There are several scenarios that generate messages to Palo Alto Networks, as described below and in the flow diagram:

A host is registered to a specific user; the owner logs onto the network with the host. FortiNAC sends user ID and IP address.

A host has no associated owner and is registered as a device; a user logs onto the network with this host. If this yields a logged on user, FortiNAC sends user ID and IP address.

If a host is registered to a specific user, when a different user logs onto the host, that new user's user ID is sent to Palo Alto Networks with the host IP address.

When a user who is not registered as the host's owner logs out of the host, the user ID of the host's owner is sent to Palo Alto Networks with the host IP address, even though the owner did not actually log onto the network.

When a user logs out of a host that has no owner, FortiNAC notifies Palo Alto Networks that the user has logged out.

Note

If a user is logged in remotely, such as through Remote Desktop, and there is no Persistent Agent installed on the host, login and logout information are not provided to Palo Alto Networks.

Implementation

To integrate with the Palo Alto Networks User-ID agent you should be aware of and configure the following items:

Palo Alto Networks
  • Palo Alto Networks firewall must be Version 4.0 or higher.
  • Palo Alto Networks User-ID agent must be Version 4.0 or higher.
  • For Palo Alto Windows User-ID agent versions prior to 7.0.4, the XML API must be enabled to allow communication with FortiNAC. In the Windows User-ID agent under User Identification > Setup make sure Enable User-ID XML API is set to Yes. This option is configured on the Agent Setup dialog under the Agent Service tab.
Note

FortiNAC cannot integrate with Windows User-ID Agent versions 7.0.4 and higher because the Enable User-ID XML API option is not available.

FortiNAC
  • To configure the integration of FortiNAC with the Windows User-ID Agent for Agent Versions prior to 7.0.4, do not select the Use Integrated Agent check box. Specify the XML API Port value to match the port you have configured the Windows User-ID agent to use. The agent uses port 5007 by default.
  • FortiNAC cannot integrate with the Windows User-ID Agent Version 7.0.4 or later. If you cannot use an earlier version of the agent, you can instead configure FortiNAC to integrate with the firewall directly.
  • If you are not using the Windows User-ID Agent and your firewall is version 6.0 or later, you must configure FortiNAC to integrate directly with the firewall. Select the Use Integrated Agent check box and enter port 443 in the XML API Port field. Enter the API Key value. The key can be retrieved manually or by selecting Retrieve.

    Note

    Direct integration of FortiNAC with versions of the firewall prior to 6.0 is not supported.

  • Hosts that will be affected by or managed by the Palo Alto Networks User-ID agent must have a logged-on User. If no user is associated with the host, only the IP address is sent to the Palo Alto Networks User Agent. The User Agent cannot apply a policy without a user ID. Registration methods such as the Persistent Agent, device profiler, or login scripts can be set to register hosts as devices, but then it is the user's login/logout that triggers that messages be sent from FortiNAC to Palo Alto.
  • Add the Palo Alto Networks User Agent as a pingable device in FortiNAC. See the instructions below for the steps.
  • FortiNAC and the Palo Alto Networks User Agent communicate via SSL. SSL certificates on the Palo Alto Networks User Agent Server are automatically imported into the .keystore file on your FortiNAC Control Server or Server.
  • In Event Management, the event Communication Lost With Palo Alto User Agent is automatically enabled. This event is generated when the Palo Alto Networks User Agent cannot be reached. The Palo Alto Networks User Agent is not being notified when hosts connect to the network, therefore, policies may not be applied. See Enable and disable events to disable the event if necessary.
  • In Event to Alarm Mappings, you can map the Communication Lost With Palo Alto User Agent event to an alarm if you wish to be notified when FortiNAC and the Palo Alto Networks User Agent are no longer communicating. See Add or modify alarm mapping.
Add pingable
  1. Click Network Devices > Topology.
  2. Select the Container icon.
  3. Right-click the container and select Add Pingable Device.
  4. Use the table below to enter the data for the Palo Alto Networks User-ID agent.
  5. Click OK to save.
Settings

Field

Definition

Element tab

Container

Container in the Topology where this device is stored.

Name

Name of the device

IP address

IP address of the device

Physical Address

The MAC address of the device.

Appears in the view only when the device is a pingable.

Device Type

Lists all available device types. Select Firewall or Server.

Incoming Events

Lists the security appliances available when either Syslog or Security Events is selected. Select Not Applicable.

SSO Agent

The third party agent communicating with the same authenication credentials as FortiNAC, utilizing the ability to unify credentials across multiple products (e.g., Single Sign-On).

XML API Port

Displayed when Palo Alto User Agent is selected in the SSO Agent field. Port on the Palo Alto User Agent configured to receive messages from external devices. This port must match the XML API port configured on the Palo Alto User Agent. See Add or modify the Palo Alto User-ID agent as a pingable.

Domain Name

Displayed when Palo Alto User Agent is selected in the SSO Agent field. FQDN for your network users' domain. This is sent with the logged in user ID to Palo Alto.

Use Integrated Agent

Allows you to integrate directly with the firewall when FortiNACdoes not integrate with the Windows User-ID Agent.

API Key

The authorization key that allows a user to send user mapping data to the firewall. Can be retrieved from the firewall manually, or by providing the credentials for an administrator account on the firewall when you select Retrieve.

Apply to Group

Select this check box to apply the Palo Alto SSO options only to the selected Host group in the drop-down list. If you do not select the check box, the SSO options are applied to all Host groups.

Role

The Role for this device. Available roles appear in the drop-down list.

Description

Description of the device entered by the Administrator.

Note

User specified notes about the device.

Contact Status Polling

Enable or disable contact status polling for the selected device.

Poll Interval

Determines how often the device should be polled for communication status. Time is stored in minutes.

Poll Now

Polls the device immediately for contact status.

Last Successful Poll

Date and time that the device was last polled successfully.

Last Attempted Poll

Date and time that the device was last polled.