2.1 Ensure that IP addresses are mapped to usernames - Zones

Information

Configure appropriate settings to map IP addresses to usernames. Mapping userids to IP addresses is what permits the firewall to create rules based on userids and groups rather than IP addresses and subnets, as well as log events by userids rather than IP addresses or DNS names. The specifics of how to achieve IP-to-username mapping is highly dependent on the environment. It can be enabled by integrating the firewall with a domain controller, Exchange server, captive portal, Terminal Server, User-ID Agent, XML API, or syslog data from a variety of devices.

Rationale:

Understanding which user is involved in a security incident allows appropriate personnel to move quickly between the detection and reaction phases of incident response. In environments with either short DHCP lease times, or where users may move frequently between systems, the ability to analyze or report, or alert on events based on user accounts or user groups is a tremendous advantage. For forensics tasks when DHCP lease information may not be available, the Source User information may be the only way to tie together related data.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To Set User-ID Agents:
Navigate to Device > User Identification > User-ID Agents
Set the Name, IP Address and Port of the User-ID Agent'
Enable User Identification for each monitored zone that will have user accounts:
Navigate to Network > Zone, for each relevant zone enable User Identification
To Set Terminal Services Agents:
Navigate to Device > Terminal Services Agents
Set the Name, IP Address and Port of the Terminal Services Agent
Enable User Identification for each monitored zone that will have Terminal Servers:
Navigate to Network > Zone, enable User Identification

See Also

https://workbench.cisecurity.org/benchmarks/8826

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4), CSCv7|16, CSCv7|16.13

Plugin: Palo_Alto

Control ID: e985514748582452b47430dcd5298667016d8f499e5bdf14f57dd9aebe68b0c0