Name: #paloaltofirewalltraining | Day 36 | How to configure user-id | Detailed Explanation | Lab
Uploaded: 2025-04-20 19:53:47
Duration: 36 min 30 s

Question 1

How do I configure User-ID on a Palo Alto firewall using Active Directory?

Accepted Answer

In my lab, I first prepare the Windows Server as AD (test.com) and create a service account for Palo Alto. Then on the firewall I configure Service Route so LDAP/Kerberos/User-ID go via the inside interface, not management. After that I create the LDAP server profile with Base DN (dc=test,dc=com) and bind credentials, and then I enable User-ID and commit.

Question 2

Why do I need to change Service Route for User-ID and LDAP on Palo Alto?

Accepted Answer

By default, Palo Alto points service routes to the management interface. In my topology, the AD server is reachable through ethernet1/1 (inside), not through mgmt, so User-ID will fail if you don’t change it. That’s why I set DNS, Kerberos, LDAP, and User-ID service routes to interface 1/1 and then commit.

Question 3

What permissions are required for the Palo Alto User-ID service account in AD?

Accepted Answer

I create a dedicated user (I named it “Palo Alto”) and then I add it to groups like Event Log Reader, Administrator, Server Operator, and DCOM-related permissions as per the requirement. I also go to WMI management (wmimgmt.msc) and give Remote Enable, Read Security, and Edit Security on CIMV2. These rights are needed so the account can read login events and share them to the firewall.

Question 4

How do I verify User-ID is working on Palo Alto?

Accepted Answer

I verify it from both sides. On Windows Server, I check Event Viewer → Windows Logs → Security and confirm the user login event (like lab1) with the client IP. On the firewall, I use CLI to check the user mapping table (show user ip-user-mapping) and confirm the IP is mapped to the correct username and domain.

Question 5

How do I create user-based security policy with AD groups on Palo Alto?

Accepted Answer

I configure Group Mapping using the LDAP profile so the firewall can see AD groups. Then I create a group in AD (like “employee”) and add the user (lab1) into that group. In the security policy, I select the Source Zone (inside) and choose the Source User/Group, then allow required destinations and commit.

Question 6

Why is DNS configured on the Windows client and server in this User-ID lab?

Accepted Answer

In my setup, DNS is important because the client needs to find and join the domain (test.com). That’s why on the Windows client I set DNS to the AD server IP (192.168.10.50). Without proper DNS, domain join and authentication will not work properly, and then User-ID mapping will also not be reliable.

Question 7

Do I need SSL/TLS for LDAP when configuring User-ID?

Accepted Answer

In this video I keep it simple and use standard LDAP on port 389 without SSL/TLS. I also mention that if you enable security/certificate, then the port changes and you need proper certificates. For lab and learning, non-SSL LDAP is fine, but in production you should plan for secure LDAP.

#paloaltofirewalltraining | Day 36 | How to configure user-id | Detailed Explanation | Lab

🛍️ Products Mentioned (2)

Paloaltonetworks Product

For Palo Alto Documentation

About This Video

Frequently Asked Questions

🎬 More from Bikash's Tech