Palo Alto User-ID and Cisco Wireless LAN controller (WLC) configuration (with SNMP traps)

Posted on by 2 Comments ↓

6. Configure User-ID

  • Go to your Palo Alto user interface and log in

6.1 Configure an Interface Mgmt profile

⚠️ This management profile will be applied to the network interface that will receive the syslog messages from your new CentOS 7 server. So you need to adapt it to your own needs !

  • Navigate to Network -> Network Profile -> Interface Mgmt
  • At the bottom, click “Add”
  • Choose a name for the User-ID profile
  • Check the option “User-ID Syslog Listener-UDP”
  • Click “OK”

paloalto-userid_cisco-wlc00004

6.2 Configure the interface to receive syslog message

  • Navigate to Network -> Interface
  • Click on the interface that will handle the User-ID syslog messages
  • Under the “Advanced” tab, select the Interface Mgmt profile created in the previous step
  • Click “OK”

6.3 Configure a security rule

  • If needed, remember to create a security rule between your Cisco Wireless LAN Controller and your network interface that will receive the syslog messages.

6.4 Configure the User Identification

  • Navigate to Device -> User Identification
  • In the “Palo Alto Networks User-ID Agent Setup” section, edit the settings
  • Go to the “Syslog filter tab” and click “Add” to add a new filter for ou Cisco WLC
    • Choose a name for the filter (here “Cisco WLC”)
    • Select “Field Identifier”
    • Fill “Event string” with: 9.9.599.1.3.1.1.27.0
    • Fill “Username Prefix” with: 9.9.599.1.3.1.1.27.0 = STRING: “
    • Fill “Username Delimiter” with: “\s
    • Fill “Address Prefix” with: IpAddress: <- ⚠️ SPACE AT THE END ⚠️
    • and fill “Address Delimiter” with: #\s
  • Control your settings the image below and click “OK” to create the new profile

paloalto-userid_cisco-wlc00005

  • Click “OK” again to exit the settings
  • Next, on the “Server Monitoring” section, click “Add”
  • Add a name for this server configuration
  • Choose “Syslog Sender” as “Type”
  • Enter your CentOS 7 server IP address
  • Choose “UDP” as “Connection Type”
  • In the filter menu, choose your previously created “Syslog Filter”
  • Add your domain if not a part of your Cisco WLC credential

paloalto-userid_cisco-wlc00006

  • Click “OK” to validate
  • Commit the changes and Save the configuration
  • Connect your Palo Alto though SSH and check if messages arrive:
show user server-monitor state all
Proxy: paloalto-userid.adminsys.ch(vsys: vsys1) Host: paloalto-userid.adminsys.ch(10.1.1.20)
 number of log messages : 48842
 number of auth. success messages : 22103

Since now, your setup is complete! 💪🏻🎉

Pages: 1 2 3 4 5 6 7

2 Replies to “Palo Alto User-ID and Cisco Wireless LAN controller (WLC) configuration (with SNMP traps)”

  1. Thanks for this great article. Did you already have time to create your new article avoiding the CentOS server?

    Reply

    • Didn’t plan a new article ;-). On the WLC you only need to enable the logging syslog facility client associate option, and on the Palo Alto side you need to create a new Syslog receiver for User-ID.

      Reply

Leave a Reply

Your email address will not be published.

*