How to Install and Configure PanAgent for Active Directory

How to Install and Configure PanAgent for Active Directory
One of the unique attributes of the Palo Alto Networks firewall is the ability to control traffic
based upon usernames and group names. In PANOS 4.0, there are three different server-based
agents that are used to track users:
o User identification for Active Directory
o Agent polls the domain controllers to determine who is logged into what IP, and
sends that information to the PA firewalls
o Discussed in this document
o User identification for LDAP servers, such as eDirectory
o Discussed in this knowledge base document:
o User identification on Terminal Servers/Citrix Servers
o The agent is installed on each terminal server, and sends the username/IP
information to the PA firewalls
o Installation steps are in the PANOS 4.0 Administrators Guide, found on our
support site
For a technical overview of each of these agents, please read the “User Identification Tech Note
– PANOS 4.0” found at
This document will give the steps to install and configure the PanAgent for Active Directory,
which from now on will be referred to as the PanAgent.
To determine beforehand:
Determine onto which machine the PanAgent will be installed. That machine must:
o be running Windows XP service pack 2 or higher, or Windows Server 2003
service pack 2 or higher, or Windows Server 2008
o be a member of the domain to be monitored
o have network connectivity to the DCs and to the management port of the PAN
o should be near the DCs that it will be querying, as it will be polling the DCs very
Determine which user account will be used by the PanAgent to query the domain. You
can either use a Domain Administrator account, or set up a more restrictive account as
described in Appendix A of this document.
Determine which domain (with corresponding domain controllers) that the PanAgent will
be querying. Note that you need one PanAgent service for each domain. One PanAgent
can handle a maximum of 64,000 users in a domain, and can talk with up to 100 DCs.
Part 1: Installing and Configuring the PanAgent
1. Login to the Windows machine that you will use to run the PanAgent. Login as a user
with administrator privileges on that machine.
2. Download the latest version of the User Identification Agent for AD (PanAgent.msi)
from Select the version that ends with “-AD”.
3. Install that file, accepting the all the defaults. This installs the software as a service on the
Windows machine.
4. The next step is to edit that service using the services.msc administrative tool. Start the
tool, and look for your new service in the list.
5. Edit the PanAgentService. You will see this screen:
On the Log On tab, specify the username and password of an account that has the ability
to read the domain controller security logs. Refer to Appendix A on page 15 for the steps
to create such an account.
Click “Apply”, and you will see the following pop-up:
6. In order for the service to run as that user, you must start or restart that service. Use the
General tab to do that now.
7. Close the Services control panel.
8. Start the PanAgent configuration program (Start -> Programs -> Palo Alto Networks > User Identification Agent). In the top-right corner, click Configure.
9. On the configuration screen, fill in the following fields:
Domain name- enter the FQDN of the domain (example: Do not use
the NetBIOS name.
Port number of your choosing- can be any port number that is not currently used
on this machine. Make sure the local machine does not have a Windows firewall
that is blocking inbound connections on that port.
Domain controllers IP addresses - You should add in ALL the DCs in the
domain here, since users can be authenticated with any DC in the domain. You
can enter up to 10 IP addresses by default, up to 100 if you make a configuration
Note: the IP at the top of this list is the one and only DC that will be queried for
user and group membership.
Allow list- list of subnets that contain users you want to track.
Ignore list- specific IP addresses that fall into the Allow List range that you do
not want to track. For example, you should enter here the IPs of your Terminal
Servers. (Note that if you want to track users on a Terminal Server, you must
install the PAN Terminal Services Agent on each Terminal Server.)
To allow the agent to talk to up to 100 DCs, edit the config.xml file found in the install directory of the agent. Stop
the agent service, change the file to say <max-dc>100</max-dc>, and start the agent service.
Here is an example:
In the bottom left corner of that same window, there are various timer values that you
may want to adjust after the PanAgent is operational. For now, accept the default values.
Once you are finished, click OK.
10. On the main screen, click on Get LDAP tree button. The PanAgent service will query
the first DC in the list, and retrieve a list of all of the groups in the domain. This will take
a few minutes if the domain is large. Once the groups are retrieved, information will
11. It is best practice to filter which AD groups will be tracked and forwarded to the PA
firewall. You can configure this using the Filter Group Members and Ignore Groups
buttons are in the top right-corner of the main screen. You will want to configure one or
the other, but probably not both.
Use Filter Group Members if you have a large number of groups in the domain,
and you want to specify exactly which groups the PanAgent will look for in the
domain security logs.
Use Ignore Groups if you want the PanAgent to pay attention to all of the AD
groups, but ignore a handful of those groups.
Click on Filter Group Members, and the screen below appears. Select the AD groups
you want to control using the PAN firewall.
Only the groups in the right-hand column will appear in the policy configuration screen
on the PAN firewall, as shown here:
Best practice: you should include “domain users” in the list of filtered groups, since the
PAN Agent only keeps track of users that are members of the groups listed on the Filter
Groups page.
12. You can monitor the agent status window in the top left corner of the GUI.
Possible status codes:
 Connection Failed
 Please start the PanAgent service first
 Reading domainname\enterprise admins Membership
 No errors
13. Click on Get Groups, and a list of domain groups will appear in the pull-down list.
If you select a particular group from that pull-down list, the users who are a member of
that group are retrieved and displayed in the text box beneath.
14. After the agent has read all the security groups, it will read through the 50,000 most
recent log entries in each Domain Controller’s security log, searching for login events2.
(Again, this may take a while.) The PanAgent will create list of usernames and associated
IPs. Click on Get All to see the IP to username mappings.
15. If you have a particular IP address in mind, and want to find out which user maps to that
IP, you can enter that IP to the left of the Get IP Information button. Click that button,
and the name associated with that IP will appear.
16. To confirm that the server running the PanAgent is listening on the port you configured
in a previous step, use the following command on the Windows machine:
netstat –an | find “xxxx”
where xxxx is the port number you configured earlier. Here is example output, showing
that the UserID agent is in fact listening on port 9999:
Event IDs on Windows 2000 & 2003: 672,673,674. Event IDs on Windows Server 2008: 4624,4768,4769,4770.
Part 2: Configuring the firewall to communicate with the PanAgent
17. Login to the Palo Alto Networks firewall as an administrator. Go to Device tab -> User
18. Under the section titled “User Identification”, Add the IP address and port of the
PanAgent that you just configured. Here is an example:
19. You must also enable user identification on each zone that you want to monitor. On the
Network tab -> Zones page, edit the appropriate zone. In the bottom left corner of the
zone properties page, check the box to Enable User Identification.
20. The firewall is now configured to talk to the PanAgent. Commit your changes at this
21. To confirm everything is configured properly, bring up a CLI to the firewall, and execute
this command:
show user pan-agent statistics
Things are working properly if you get output similar to below:
If you see the message “No pan-agent configured”, make sure you have committed your
22. Now view the list of usernames and IPs that the firewall has received from the PanAgent,
using this command:
show user ip-user-mapping
If there is a long list of users, and you want to determine if a particular user (example:
jpage) is in the list, use this command:
show user ip-user-mapping | match jpage
Or you can search the output for a particular source IP:
show user ip-user-mapping | match
23. You can view the defined AD usernames and associated groups using:
show user pan-agent user-IDs
In this example, the AD groups are being filtered to only keep track of the “domain
users” group.
Part 3: Testing
24. At this point, you can test by logging into the domain as a regular user on machine in the
IP address range you specified to be monitored by the agent. After a few minutes,
usernames will appear in the traffic logs (Monitor tab -> Logs -> Traffic) as well as in
the ACC drill-downs of particular applications.
25. On the firewall, go to the Policies tab-> Security screen, and select one of the policies.
Edit the value in the Source User column. In the window that appears, you will see a
listing of Active Directory Groups—these were pulled from the domain. Recall that if
you filtered the groups, only the groups you specified will appear here.
Part 4: Troubleshooting Hints
26. If the firewall is not successfully communicating with the PanAgent, make sure that the
port you specified is open on the intermediate network. You can test this by telneting
from the firewall to the Windows machine:
If there is a reply from the Windows machine (as shown above), you know that there isn’t
another device blocking the communication.
27. For testing purposes, you can clear the logged-in user database on the PAN firewall,
either for a single-IP, or the complete database:
clear user-cache ip
clear user-cache all
28. Ignoring Service Accounts
Some customers have batch files that execute after a user logs in, and these batch files
run as a different AD account. That service account may appear in the PanAgent user
database. If that is the case, you can tell the PanAgent to ignore that particular user
account. To do this, create a file called “ignore_user_list.txt” in the directory in which the
PanAgent was installed (typically c:\Program Files\Palo Alto Networks\PanAgent). Insert
into that file the domainname\username of the service account that you want the
PanAgent to ignore. Note that the username is case sensitive.
29. The PanAgent maintains a log file which is very useful for troubleshooting. The log file
can be viewed using File -> Show Logs.
To enable detailed information on the PanAgent operation, go to File -> Debug and
select Verbose. The logs will now display more detailed messages.
Appendix A
Creating a Domain Account for use with PanAgent Service
The PanAgent must have the ability to read the security log on the domain controllers. In
particular, the user right “Manage auditing and security log” must be given to that account.
The Domain Admins group has that user right by default. If you want to create an account
that has more restrictive access than Domain Admins, follow these steps.
Part 1: Creating the New Account, and Assigning the User Right
1. Login to a domain controller as an administrator. Start Active Directory Users and
Computers. In an OU that is appropriate, create a new account. You can give it any name
you’d like.
Assign a password to the account, and uncheck the box user must change password at
next logon.
2. Now Edit the Default Domain Controller Security Policy, found under Programs ->
Admin Tools. Drill down to Security Settings -> Local Policies -> User Rights
Assignment. You will see the screen below.
3. In the right-hand pane, locate the user right “Manage auditing and security log”. Doubleclick that entry. You will see that only Administrators have that user right.
4. Click Add User or Group.
5. Click Browse.
6. Enter the username of the account you just created, and click on Check Names to confirm
that account exists. The account name will become underlined.
7. Click Ok two times. The user right will now look like this:
8. Close that screen, as well as exit from the Default Domain Controller Security Policy
9. In order for this policy to take effect immediately, run this command on each domain
controller in the domain:
If you do not run this command on each DC, it will take up to 60 minutes for this change
to be propagated onto each DC.
Part 2: Assigning Permissions on PanAgent Installation Directory
You must edit the permissions on the installation directory for the PAN Agent and give
the new account full control. Note that if you do not change the permissions, the new pan
agent account will not be able to create the troubleshooting log in this directory.
10. Use Windows Explorer to drill down to C:\Program Files\Palo Alto Networks\PanAgent.
Right-click the directory name PanAgent, and select Properties.
11. In the PanAgent Properties window, select the Security tab, and click on the Advanced
button. The window will be similar to the following:
12. Click Add, and enter the name of the new account. Click Check Names to confirm that
you spelled the account name correctly.
13. Click Ok, and the following screen will appear.
14. In the Permission Entry for PanAgent window, check the box to Allow Full Control. All
the boxes below it will become checked. Click Ok. The Advanced Security Settings for
PanAgent window will now have a new entry at the top of the list:
15. Click Ok twice to close all permissions windows.
Part 3: Testing the New Account
16. To perform an initial test, logout of the DC, and log back into the DC as the new user
17. While logged in as the new user, start event viewer (hint: from a command prompt, you
can type eventvwr.msc.)
18. Confirm that the new user can view the events in the security log.
19. Use View -> Find to search for login events (event ID 672 on Windows 2000/2003,
event ID 4624 on Windows 2008). You should see numerous events of that type.
20. (OPTIONAL) If you want to further restrict this account from being able to clear the
security log, refer to Microsoft KB 323076.
Part 4: Configuring the PAN Agent Service to Use the New Account
21. At this point, you can login to the server that is running the PAN PanAgent, and
configure the PanAgent service to use the newly-created account.
22. Restart the service so that it will use the new account.
23. Confirm that you can view the troubleshooting log by starting the PanAgent GUI, and
going to File -> Show Logs.
If the log file does not exist, make sure you completed the steps in part 2 of this appendix.