Wednesday, 24 May 2017

All about User-id domain map in Palo Alto

Pre-requisites

 You should have a working knowledge of:
  Active Directory 
  User-id feature on the Palo Alto Networks firewall

Components Used

The information in this document is based on these software and hardware versions:
  Palo Alto Networks VM firewall running PANOS 7.1
  Active Directory Services running on Microsoft 2012 r2 server, configured as a Domain controller

The information in this document was created from the devices in a specific lab environment. 
If your network is live, make sure that you understand the potential impact of any command.

 
Background 

Palo Alto Networks firewall uses the domain map to store the fully qualified active directory domain name (fqdn) and its equivalent netbios domain (netbios name).

It's used to normalize or convert the username and groupnames from FQDN to their corresponding netbios domain name format.

For example, consider the domain 'paloaltonetworks.com' as the fqdn, then its equivalent netbios domain name is 'paloaltonetworks'

In an active directory environment a user which is a member of this domain will have its username as paloaltonetworks\username.

Details

 Let us take a deeper look as to how the firewall retrievesthe netbios domain name from active directory domain controllers, populate the domain map and then use it for conversion of fqdn to netbios name.

For the sake of simplicity and ease of illustration we'll break the work flow into three phases.


  • PHASE 1   Retrieving the netbios domain name 

Firewall sends the request for the netbiosname domain name while sending the LDAP partition query during LDAP refresh , populates it’s domain map and writes this entry into the dnsnetbios.map file

Fetched through 389/636 LDAP connection (not Global Catalog one's - 3268 or 3269)

All Domain Controllers should have this info 

Location: LDAP://CN=Partitions,CN=Configuration,DC=<DomainName>,
DC=<local|com>
ADSI Edit: Connect to "Configurations“ (ADSI - Active Directory Service Interfaces)
 
ADSI_Edit.JPG

 
Here's the LDAP partition query response from the active directory domain controller to the firewall showing the :
 
Target of the query - CN=Partitions,CN=Configuration,DC=test,DC=kunaldc,DC=com 
FQDN - 'test.kunaldc.com'
Netbios domain name - 'test' 

LDAP_PCAP.JPG


  • PHASE 2    Storing the netbios domain name 

The dnsnetbios.map  file which contains the fqdn and it's netbios domain name is stored internally in the linux based directory structure on the firewall

You can view the domain-map from the command line of the firewall using 'debug user-id dump domain-map'

domain map.JPG

The domain map persists a device reload, even when you’ve deleted the group mapping profile for a respective domain

Along with this any netbios domain name once learnt on the firewall continues to persist unless explicitly removed via the cli command ‘debug user-id clear domain-map’


  • PHASE 3   Apply the netbios domain name to user groups and members of these groups 

The objective of the netbios name is to 

1.   Convert 'fqdn\username' formats to netbios domain name i.e. 'netbios\username' format
   Eg: Username test is a member of the active directory domain 'test.kunaldc.com'
          It's fqdn name format is 'test.kunaldc.com\testuser' 

Once the firewall learns about the netbios name of the active directory domain then it will convert all the fqdn username format to netbios name formats 
 show_user_userids.JPG


Hence the fqdn username format of 'test.kunaldc.com\testuser'  is converted to 'test\testuser'
 
 
2.   Normalize the groups from full dn to short name format
In absence of the domain maps all AD groups are recognized in their full domain name format

A group named sme_group  whose full dn name format is 
'cn=sme_group, ou=tier2,ou=networking,ou=apac,ou=tac2,dc=test,dc=kunaldc.com,dc=com' 
 is converted into  'test\sme_group'
Simialrly, the user which is a member of sme_group and the active directory domain 'test.kunaldc.com' is also transformed from 'test.kunaldc.com\testuser' to 'test\testuser'

short_group_name.JPG



NOTE
 
1.  PAN firewall applies the normalization on the users retrieved from ip-user mapping mechanisms (using methods such as - userid agent, agentless, syslog,xmlapi etc) as well as the users retrieved from active directory domain controllers using LDAP 
user mapping 2.JPG
 
2.  Domain map is not synchronized between the active and passive firewalls in an Active-Passive HA setup
The passive device must at some point serve as an active device in the HA in order to connect to the active directory server to fetch the netbios domain name via the ldap partition query 

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...