If you’re using DHCP on a PAN device, and want to get a simple way to identify users machines / phone based on device names, you can do so easylie with syslog.
This setup will convert this logline from DHCP:
DHCP lease started ip 192.168.18.140 --> mac 34:02:86:XX:XX:XX - hostname PCNO00198, interface ethernet1/2
To This:
This works from 8.0.0 and up.
My setup:
Ethernet1/1 -> x.x.x.x Untrust Ethernet1/2 -> 192.168.18.1 INSIDE (DHCP Server) Ethernet1/3 -> 10.198.100.1 Guest (DHCP Server)
All serviceroutes setup to use Ethernet1/2, 192.168.18.1 (since I don’t use the dedicated managementport. User Identification ACL has to be enabled for the Zone you want to monitor:
Step 1:
Under Device, Server Profiles, and Syslog. Create a syslog profile that forward logs UDP port 514 to your own devices interface ip.
Step 2: Then, go to Logsettings And create a new Log Setting-System, add (eventid eq lease-start) in filter, and the syslogprofile you created in step 1.
Step 3:
Create a syslogfilter. Go to User Identification, Usermapping, then Palo Alto Networks User-ID Agent Setup, then Syslogfilter, ADD, name it something like PA-DHCP, use Regex Identifiser,
Event Regex: DHCP\ lease\ started
Username Regex: hostname ([a-zA-Z0-9\_\[\]\-]+)
Address Regex: ip ([A-F0-9a-f:.]+)
Step 4:
Under User Identification, and new Server Monitoring (User Identification Monitored Server), Enabled, Type Syslog Sender, and ip of sender (in my case 192.168.18.1, because of service routes), Connection Type: UDP , and the Syslog Filter you created in step 3
Step 5:
Allow the Interface to be used as User ID syslog listener-UDP. Go to Network, then Network Profiles, and Interface Mgmt. Create a interface Management profile, and allow User-ID Syslog Listener-UDP.
Attach this profile to the interface (in my case the Ethernet1/2 192.168.18.1)
And you’re good to go!
TIP: Be sure to have the right service routes configured if you’re not using management-interface.
One response to “Using DHCP on PAN device as User-ID, based on device-name”
I’ve been surfing online greater than three hours lately, yet I by no means found any attention-grabbing article like yours. It抯 pretty value enough for me. Personally, if all web owners and bloggers made just right content as you probably did, the web will probably be a lot more useful than ever before.