Adding ISE as a Syslog Provider to Palo Alto for User-ID
Info to gather
-
IP Address and interface on each FW you want to
receive Syslogs
-
IP Address and interface on each FW you want to
receive Syslogs
· ISE
o
Understand your ISE deployment (single unit,
distributed, etc)
o
IP address of the Policy Service Nodes from
which the Syslogs will originate. Here forward ISE Policy Services Nodes maybe be called ISE PSN's or PSN.
· Network/Firewall
o
Ensure the ISE nodes can send udp 514 traffic
from the IP address above to the PaloAlto IP addresses above.
In order to receive User to IP mappings for ISE you will need to do these basic steps.
- Create the Palo Altos as syslog receivers within ISE.
- Configure ISE to send only RADIUS Accounting logs to the PAs that will be the log receivers.
- The accounting logs have the
username and IP (Framed-IP-Address) of the user.Create a syslog filter on the PaloAltos to filter the appropriate information. Key field info (and yes, the “,/s” matters, it signifies a space is to follow. The “=” is required too):
o
Type: Field Identifier
o
Event String:
o
Username Prefix:
User-Name=
o
Username Delimiter: ,/s
o
Address Prefix:
Framed-IP-Address=
o
Address Delimiter: ,/s
·
Configure each Policy Service Node within ISE as
a Server Monitor using the syslog filter just created. The IP address will be
the ISE PSN IP address. Again, each PSN will need to be added, if applicable.
o
If ISE is distributed, you do NOT need your
admin nor monitor nodes added
o
If it is a standalone, add the single ISE node
as a Server Monitor
·
Ensure that the receiving interface on the PaloAltos
allow User-ID Syslog UDP.
o
Option 1 – Interface Management Profile
o
Option 2 – Management profile (DO NOT LOCK
YOURSELF OUT!)
·
Ensure the zone with users to be identified have
USER-ID enabled. Use IP restrictions to limit.
·
Use the Include/Excluded Networks on Device à User Identification to
include/limit also.
·
Verify via command-line/SSH.
o
show user ip-user-mapping all | match SYSLOG
o
show user server-monitor state all
Configure ISE
Configure PaloAlto Firewalls as a Syslog Receiver
Log into to ISE.
Under the Administration Menu, Select Logging.
Under Logging, Select Remote Logging Targets
Click Add. Enter in the appropriate information. The IP address should be your intended receiving interface on your PaloAlto. Most Logging is sent over UDP port 514. Submit when complete.
If you have redundant devices and you are logging to different IPs, create a second entry.
Set ISE to send Accounting to your targets.
Stay in the Logging Menu and Select Logging Categories
Select Radius Accounting under the Category (not Accounting as is highlighted).
Move your newly created target(s) to the Selected: side and
save.
Configure the PaloAlto Firewalls
These instructions are in Panorama, but will work if follow
along directly on the firewalls.
Configure the Syslog Filter to pull extract the User-ID information
Select Device à
User Identification à
User Mapping à
Green Gear for Panorama; The plain gear will work for the firewalls directly.
Select Syslog Filters Tab, Click Add
Fill out the Syslog Parse Profile. You can use any Profile Name and Description you want.
You can use any Profile Name and Description you want.
The rest should be filled as above. PLEASE NOTE THE CHANGE IN EVENT STRING! Values are listed below.
·
Type: Field Identifier
·
Event String:
NOTICE Radius-Accounting: RADIUS Accounting
·
Username Prefix:
User-Name=
·
Username Delimiter: ,/s
·
Address Prefix:
Framed-IP-Address=
·
Address Delimiter: ,/s
The “,/s” looks for a comma and a blank space. Here is a
capture of a RADIUS syslog from which the info was gathered.
Click Ok to have the filter.
Click Ok to exist the User-ID Agent Setup.
--UPDATE--
I modified the Event String. ISE sends 3 major types of 300x series accounting logs. 3000 and 3001 are accounting start and watchdog updates. These two types of updates contain User-ID to IP address mapping information. 3002 are stops. They all lead with "NOTICE Radius-Accounting: RADIUS Accounting". Using the more generic log filter allows all of these to be parsed. My original setup missed the watchdogs so many of my user mappings were timing out. Thus, I was losing mappings. This helped greatly.
--UPDATE--
I modified the Event String. ISE sends 3 major types of 300x series accounting logs. 3000 and 3001 are accounting start and watchdog updates. These two types of updates contain User-ID to IP address mapping information. 3002 are stops. They all lead with "NOTICE Radius-Accounting: RADIUS Accounting". Using the more generic log filter allows all of these to be parsed. My original setup missed the watchdogs so many of my user mappings were timing out. Thus, I was losing mappings. This helped greatly.
Configure the Server Monitoring Information with the new Syslog Filter
We will need to add every Policy Service Node that does
authentication for the WLAN. You do NOT add your administration nor monitoring
nodes, only the Policy Service Nodes (PSNs). If it is an all in one system, add
the single ISE node. The syslogs are sent from the PSNs only.
Stay in Device à
User Identification à
User Mapping, Select Add under Server Monitoring
Fill out the User Identification Monitored server for EACH ISE PSN node.
Make sure to select the type as Syslog Sender. The Network
Address will the ISE PSN IP address. The filter will be the newly created
filter in the previous steps. The Default Domain Name will be your organization’s
domain name.
At this point, you can follow all the standard rules for
using a syslog server as a User ID source.
Remaining general steps:
- Fill-out included/excluded networks on the Device à User Identification tab.
- Ensure the interface you are sending syslogs for User-ID has User-ID Syslog enabled.
- Step 2 -- Option 1 --- Logging to a Network interface
- Create an Interface Management Profile under the Network à Network Profiles à Interface Mgmt
- Ensure User-ID Syslog Listener-UDP is enabled. Ensure the IP address of your PSN’s are permitted on the Permitted IP addresses tab.
- On Network à Interfaces, select the interface with the IP address the syslog senders are sending too, and enable the management profile under the advanced tab
S
Step 2 -- Option 2 – Sending Syslogs to your PA’s management interface
WARNINGS: BE CAREFUL
NOT TO LOCK YOURSELF OUT! CHANGING SETTINGS HERE CAN LOCK YOU OUT OF MANAGEMENT
ACCESS TO YOUR PALOALTOS!!! I’M NOT RESPONSIBLE IF YOU LOCK YOURSELF OUT.
If you manage over https, and ssh, make sure they boxes stay
selected
If you use SNMP, leave it selected
If you do not have any Permitted IP Address, DO NOT add
anything. All traffic is currently permitted. You might want to change that sometime, but that's a different topic.
a)
Select the Device Tab à Setup à Management à Management Interface
Settings
b)
Ensure User-ID Syslog Listener-UDP is selected.
c)
Add the Permitted IP addresses of your ISE nodes
(WARNING: Only if you have management interface IP restrictions! – be careful
not to lock yourself out. If you do not have restrictions, all traffic is
permitted, so DO NOT add anything!!! Please make sure you have your management workstation/network already added before adding these entries.)
3)
Enable User-ID on the appropriate zones.
Network à
Zones
Click on the appropriate zones. Add the networks to the User Identification ACL
