Palo Alto User-ID and Cisco Wireless LAN controller (WLC) configuration (with SNMP traps)

6. Configure User-ID

  • Go to your Palo Alto user interface and log in

6.1 Configure an Interface Mgmt profile

⚠️ This management profile will be applied to the network interface that will receive the syslog messages from your new CentOS 7 server. So you need to adapt it to your own needs !

  • Navigate to Network -> Network Profile -> Interface Mgmt
  • At the bottom, click “Add”
  • Choose a name for the User-ID profile
  • Check the option “User-ID Syslog Listener-UDP”
  • Click “OK”

paloalto-userid_cisco-wlc00004

6.2 Configure the interface to receive syslog message

  • Navigate to Network -> Interface
  • Click on the interface that will handle the User-ID syslog messages
  • Under the “Advanced” tab, select the Interface Mgmt profile created in the previous step
  • Click “OK”

6.3 Configure a security rule

  • If needed, remember to create a security rule between your Cisco Wireless LAN Controller and your network interface that will receive the syslog messages.

6.4 Configure the User Identification

  • Navigate to Device -> User Identification
  • In the “Palo Alto Networks User-ID Agent Setup” section, edit the settings
  • Go to the “Syslog filter tab” and click “Add” to add a new filter for ou Cisco WLC
    • Choose a name for the filter (here “Cisco WLC”)
    • Select “Field Identifier”
    • Fill “Event string” with: 9.9.599.1.3.1.1.27.0
    • Fill “Username Prefix” with: 9.9.599.1.3.1.1.27.0 = STRING: “
    • Fill “Username Delimiter” with: “\s
    • Fill “Address Prefix” with: IpAddress: <- ⚠️ SPACE AT THE END ⚠️
    • and fill “Address Delimiter” with: #\s
  • Control your settings the image below and click “OK” to create the new profile

paloalto-userid_cisco-wlc00005

  • Click “OK” again to exit the settings
  • Next, on the “Server Monitoring” section, click “Add”
  • Add a name for this server configuration
  • Choose “Syslog Sender” as “Type”
  • Enter your CentOS 7 server IP address
  • Choose “UDP” as “Connection Type”
  • In the filter menu, choose your previously created “Syslog Filter”
  • Add your domain if not a part of your Cisco WLC credential

paloalto-userid_cisco-wlc00006

  • Click “OK” to validate
  • Commit the changes and Save the configuration
  • Connect your Palo Alto though SSH and check if messages arrive:
show user server-monitor state all
Proxy: paloalto-userid.adminsys.ch(vsys: vsys1) Host: paloalto-userid.adminsys.ch(10.1.1.20)
 number of log messages : 48842
 number of auth. success messages : 22103

Since now, your setup is complete! 💪🏻🎉

Leave a Reply

Your email address will not be published. Required fields are marked *

*