Pre-requisites
You should have a working knowledge of:
Active Directory
User-id feature on the Palo Alto Networks firewall
User-id feature on the Palo Alto Networks firewall
Components Used
The information in this document is based on these software and hardware versions:
Palo Alto Networks VM firewall running PANOS 7.1
Active Directory Services running on Microsoft 2012 r2 server, configured as a Domain controller
Active Directory Services running on Microsoft 2012 r2 server, configured as a Domain controller
The information in this document was created from the devices in a specific lab environment.
If your network is live, make sure that you understand the potential impact of any command.
If your network is live, make sure that you understand the potential impact of any command.
Background
Palo Alto Networks firewall uses the domain map to store the fully qualified active directory domain name (fqdn) and its equivalent netbios domain (netbios name).
It's used to normalize or convert the username and groupnames from FQDN to their corresponding netbios domain name format.
It's used to normalize or convert the username and groupnames from FQDN to their corresponding netbios domain name format.
For example, consider the domain 'paloaltonetworks.com' as the fqdn, then its equivalent netbios domain name is 'paloaltonetworks'
In an active directory environment a user which is a member of this domain will have its username as paloaltonetworks\username.
Details
Let us take a deeper look as to how the firewall retrievesthe netbios domain name from active directory domain controllers, populate the domain map and then use it for conversion of fqdn to netbios name.
For the sake of simplicity and ease of illustration we'll break the work flow into three phases.
- PHASE 1 Retrieving the netbios domain name
Firewall sends the request for the netbiosname domain name while sending the LDAP partition query during LDAP refresh , populates it’s domain map and writes this entry into the dnsnetbios.map file
Fetched through 389/636 LDAP connection (not Global Catalog one's - 3268 or 3269)
All Domain Controllers should have this info
Location: LDAP://CN=Partitions,CN=Configuration,DC=<DomainName>,
DC=<local|com>
DC=<local|com>
ADSI Edit: Connect to "Configurations“ (ADSI - Active Directory Service Interfaces)
Here's the LDAP partition query response from the active directory domain controller to the firewall showing the :
Target of the query - CN=Partitions,CN=Configuration,DC=test,DC=kunaldc,DC=com
FQDN - 'test.kunaldc.com'
Netbios domain name - 'test'
- PHASE 2 Storing the netbios domain name
The ‘dnsnetbios.map’ file which contains the fqdn and it's netbios domain name is stored internally in the linux based directory structure on the firewall
You can view the domain-map from the command line of the firewall using 'debug user-id dump domain-map'
The domain map persists a device reload, even when you’ve deleted the group mapping profile for a respective domain
Along with this any netbios domain name once learnt on the firewall continues to persist unless explicitly removed via the cli command ‘debug user-id clear domain-map’
- PHASE 3 Apply the netbios domain name to user groups and members of these groups
The objective of the netbios name is to
1. Convert 'fqdn\username' formats to netbios domain name i.e. 'netbios\username' format
Eg: Username test is a member of the active directory domain 'test.kunaldc.com'
It's fqdn name format is 'test.kunaldc.com\testuser'
It's fqdn name format is 'test.kunaldc.com\testuser'
Once the firewall learns about the netbios name of the active directory domain then it will convert all the fqdn username format to netbios name formats
Hence the fqdn username format of 'test.kunaldc.com\testuser' is converted to 'test\testuser'
2. Normalize the groups from full dn to short name format
In absence of the domain maps all AD groups are recognized in their full domain name format
A group named sme_group whose full dn name format is
'cn=sme_group, ou=tier2,ou=networking,ou=apac,ou=tac2,dc=test,dc=kunaldc.com,dc=com' is converted into 'test\sme_group'
'cn=sme_group, ou=tier2,ou=networking,ou=apac,ou=tac2,dc=test,dc=kunaldc.com,dc=com' is converted into 'test\sme_group'
Simialrly, the user which is a member of sme_group and the active directory domain 'test.kunaldc.com' is also transformed from 'test.kunaldc.com\testuser' to 'test\testuser'
NOTE
1. PAN firewall applies the normalization on the users retrieved from ip-user mapping mechanisms (using methods such as - userid agent, agentless, syslog,xmlapi etc) as well as the users retrieved from active directory domain controllers using LDAP
2. Domain map is not synchronized between the active and passive firewalls in an Active-Passive HA setup
The passive device must at some point serve as an active device in the HA in order to connect to the active directory server to fetch the netbios domain name via the ldap partition query
The passive device must at some point serve as an active device in the HA in order to connect to the active directory server to fetch the netbios domain name via the ldap partition query
No comments:
Post a Comment