Palo Alto Active Directory and NetVizura End Users integration

pexels-andrea-piacquadio-3891063

NetVizura already has good Active Directory End Users integration - you can forward your logs from AD DC into NetVizura, and then correlate these login data with NetFlow data from your exporters. The result is a much better insight into the state of your network. 

Palo Alto has a functionality called User-ID (read more on the following page: User-ID). It allows you to export Palo Alto logs and map User-ID to the IP of the device users logged on to. An example of the login message would be:

This login message provides us with a couple of important details: 

           1. The name of the Palo Alto device is paloalto-01.soneco.local

           2. The user logged in on 2020-12-18T15:20:49+02:00

           3. IP from which user has logged in is 10.0.1.198

           4. We have domain\user that has logged on: soneco domain and john.adams as user.

Meaning, we have everything needed to map user in End Users view of NetVizura. The only thing necessary is to send the presented messages to port 33515 in NetVizura. In our documentation, we have thoroughly covered how to set user mapping (visit: End User Settings).

On the regex side, add the following:

Once you go through the required steps we have previously mentioned, user, domain and IP will be mapped to NetFlow data flowing to NetVizura from your Palo Alto device. In the end, just wait for 5 to 10 minutes (and for someone to log-in, of course), and you will be able to see users from all the domains Palo Alto administers. 

OPNsense NetFlow and EventLog configuration
Elasticsearch Windows upgrade

Related Posts

By accepting you will be accessing a service provided by a third-party external to https://www.netvizura.com/

Contact

Mailing and Visiting Address:
Soneco d.o.o.
Makenzijeva 24/VI, 11000 Belgrade, Serbia
Phone: +381.11.6356319
Fax: +381.11.2455210
sales@netvizura.com | support@netvizura.com

CONNECT WITH US:

linkedin facebook facebook