USER-ID log from VPN Cisco concentrator

Dear community, how is everything going ?

Have you ever had to do the following?

We have to integrate a Cisco ASA, with Palo Alto, so that the PA receives from a Cisco ASA and/or Cisco ISE the users to be able to have mapper with USER-ID the users that connect by VPN. ( There is no global protect )

Details:

Cisco ASA --- Cisco ISE ( AAA ) users with any connect - Flows through PA.

They want the Palo Alto firewalls to be able to read the users that when a user connects via VPN to the Cisco ASA, the Palo Alto FW receives the information from the Cisco ASA and/or the Cisco ISE on the PA, so that the User-ID can somehow get that information from those users.

Clarifications, the PA does not have and should not use Global Protect. The Palo Alto FW must receive the information from the Cisco ASA and/or Cisco ISE when VPN users connect, Palo Alto can map them and see them in the User Log fields of the PA when traffic passes through it.

Please can you guide me and/or indicate me how to achieve this goal, at least as a base, limitations, considerations and/or guide to achieve this issue.

Thanks for your time and collaboration

I remain attentive

Best regards

4 comments

Comments (4)

Reaper

Mar 20

In the user-id agent (both vlient and clientless) there is an option to enable a syslog receiver, this even has templates for Cisco ISE.

If you don't see this se tonight in the agent, you may need to upgrade the agent (or PAN-OS for clientless)

You can then set up syslog forwarding for authentication ticstion events from the Cisco ISE towards the agent/firewall and populate user-id

MetgatzGR

Mar 30

Replying to

HI master @Reaper What happens master is that this is the way it is.

We have the PA, operating, we have operating two servers with Windows User-Agent, everything is fine from there.

This Firewall this HA of PA is an internal firewall, closer to the servers and applications. Everything operates fine with the Windows User Agent, on two servers, connected to the AD all fine with the User-ID.

Now we need to be able to map the users that connect by VPN from an ASA that is the VPN concentrator, not the PA, the PA does not have GP and the PA fulfills other roles, therefore all well with the User-ID from that scope.

Now what we need is that the ASA or the ISE (AAA of the ASA) sends the logs so that the AP can map those connections.

That is why we must apply a Syslog-Parser for those connections that are born in the ASA and so the AP has the USER-ID of the ASA users and in turn of the mapping of the virtual Ip of the users that are connected by anyconnect.

Users-Endpoint-Anyconnect--------ASA-----------Internal network------PA-internal----Windows Servers-Users Agent OK with the AD and the user recognition.

The missing point to integrate is that source of the USER-ID.

These events to map with syslog parser can help from ASA:

746012Error Message %ASA-5-746012: user-identity: Add IP-User mapping IP Address - domain_name \user_name result - reasonExplanation: A new user-IP mapping has been added to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reason is VPN user. The failure reasons include the following: Maximum user limit reached and Duplicated address.

746013Error Message %ASA-5-746013: user-identity: Delete IP-User mapping IP Address - domain_name \user_name result - reasonExplanation: A change has been made to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reasons include the following: Inactive timeout, NetBIOS probing failed, PIP notification, VPN user logout, Cut-through-proxy user logout, and MAC address mismatch. The failure reason is PIP notification.

thank you master for your time and collaboration.

I remain attentive

Edited

Forum: Forum