Manage Event logs to Generate IP Address-to-User Mapping
SRX Series and NFX Series device gathers IP address, user, and group information from Windows Active Directory domain controller event logs and adds to the active directory authentication table. Authentication entries become a source for authentication.
Understanding How the WMIC Reads the Event Log on the Domain Controller
This topic includes the following sections:
- Windows Management Instrumentation Client
- WMIC Reads the Event Log on the Domain Controller
- Specifying IP Filters to Limit IP-to-User Mapping
- Event Log Verification and Statistics
Windows Management Instrumentation Client
When you configure the integrated user firewall feature on a device, the device establishes a Windows Management Instrumentation (WMI)/Distributed Component Object Module (DCOM) connection to the domain controller. The device acts as a WMI client (WMIC). It reads and monitors the security event log on the domain controller. The device analyzes the event messages to generate IP address-to-user mapping information.
All configuration regarding the WMIC is optional; it will function
with default values. After the domain is configured (by the set
services user-identification active-directory-access domain
statement),
the WMIC starts to work. The WMIC connection to the domain controller
uses the same user credentials as those configured for the domain.
Integrated user firewall uses NTLMv2 as the default WMIC authentication protocol for security reasons. NTLMv1 exposes the system to attacks in which authentication hashes could be extracted from NTLMv1 authentication responses.
For compatibility with integrated user firewall, you must apply the latest version of the Microsoft SP2 patch if you are running an older version of Windows OS, including Windows 2000, Windows XP, and Windows 2003.
WMIC Reads the Event Log on the Domain Controller
The following behaviors apply to reading the event log:
The device monitors the event log at a configurable interval, which defaults to 10 seconds.
The device reads the event log for a certain timespan, which you can configure. The default timespan is one hour. Each time at WMIC startup, the device checks the last timestamp and the timespan. If the last timestamp is older than the current timespan, then the timespan takes effect. After the WMIC and the UserID process start working, the timespan does not apply; the device simply reads the latest event log.
The device can read the event log to obtain IPv6 addresses in addition to IPv4 addresses.
During WMIC startup, the device has a maximum count of events it will read from the event log, and that maximum is not configurable.
On SRX300, SRX320, SRX340, SRX345, and SRX380 devices, the maximum count is 100,000.
On SRX5400, SRX5600, and SRX5800 devices, the maximum count is 200,000.
During WMIC startup, this maximum count is used with the timespan setting, so that if either limit is reached, the WMIC stops reading the event log.
After a failover, the device reads the event log from the latest event log timestamp.
In a chassis cluster environment, the WMIC works on the primary node only.
Specifying IP Filters to Limit IP-to-User Mapping
You can specify IP filters to limit the IP address-to-user mapping information that the device generates from the event log.
To understand when a filter is useful for such mapping, consider the following scenario. A customer deploys 10 devices in one domain, and each device controls a branch. All 10 devices read all 10 branch user login event logs in the domain controller. However, the device is configured to detect only whether the user is authenticated on the branch it controls. By configuring an IP filter on the device, the device reads only the IP event log under its control.
You can configure a filter to include or exclude IP addresses or prefixes. You can specify a maximum of 20 addresses for each filter.
Event Log Verification and Statistics
You can verify that the authentication table is getting IP address
and user information by issuing the show services user-identification
active-directory-access active-directory-authentication-table all
command. A list of IP address-to-user mappings is displayed for
each domain. The table contains no group information until LDAP is
running.
You can see statistics about reading the event log by issuing
the show services user-identification active-directory-access
ip-user-mapping statistics domain
command.
See Also
Using Firewall Authentication as an Alternative to WMIC
This topic includes the following sections:
WMIC Limitations
The primary method for the integrated user firewall feature to get IP address-to-user mapping information is for the device to act as a WMI client (WMIC). However, the WMIC has limitations, such as the following:
On Windows XP or Server2003, the Windows firewall does not allow the WMIC request to pass through because of the dynamic port allocation of the Distributed Component Object Model (DCOM). Therefore, for these operating systems when Windows firewall is enabled, the PC does not respond to the WMIC probe.
Because the event-log-reading and PC probe functions both use WMI, using a global policy to disable the WMI-to-PC probe also affects event log reading.
Because these cases might result in the failure of the PC probe, a backup method for getting IP address-to-user mappings is needed. That method is to use firewall authentication to identify users.
Firewall Authentication as a Backup Method for IP Address-to-User Mappings
If you want to use firewall authentication to identify users for the integrated user firewall feature, specify a domain name in the set security policies from-zone trust to-zone untrust policy <policy-name> then permit firewall-authentication user-firewall domain <domain-name> statement.
If a domain is configured in that statement, fwauth recognizes that the domain is for a domain authentication entry, and will send the domain name to the fwauth process along with the authentication request. After it receives the authentication response, fwauth deletes that domain authentication entry. The fwauth process sends the source IP address, username, domain, and other information to the USERID process, which verifies that it is a valid domain user entry. The subsequent traffic will hit this user firewall entry.
The Active Directory authentication entry that comes from the fwauth process is not subject to the IP filters.
See Also
Understanding Integrated User Firewall Domain PC Probing
This topic includes the following sections:
- Overview of Domain PC Probing
- Probing Domain PCs for User Information
- Probe Response
- Probe Configuration
- Probe Rate and Statistics
Overview of Domain PC Probing
At a high level, the integrated user firewall feature gathers IP address, user, and group information from Windows Active Directory domain controller event logs and LDAP services. This information is used to generate Active Directory authentication table entries on a device. Authentication entries serve as the authentication source for security policies that enforce user-based or group-based access control.
PC probing acts as a supplement of event log reading. When a user logs in to the domain, the event log contains that information. The PC probe is triggered only when there is no IP-to-address mapping from the event log.
Domain information constantly changes as users log in and out of domain PCs. The integrated user firewall probe functionality provides a mechanism for tracking and verifying information in the authentication tables by directly probing domain PCs for IP address-to-user mapping information. New and changed information identified by the probe serves to update Active Directory authentication table entries, which is critical to maintaining firewall integrity.
The IP address filter also impacts the PC probe. Once you configure the IP address filter, only the IP address specified in the filter is probed.
Probing Domain PCs for User Information
The integrated user firewall feature tracks the online status of users by probing domain PCs. If a user is not online or is not an expected user, the Active Directory authentication table is updated as appropriate. The following probe behaviors apply:
On-demand probing | On-demand probing occurs when a packet is dropped due to a missing entry in the Active Directory authentication table. In this case, an entry is added in pending state to the authentication table, and the domain PC identified by the source IP field of the dropped packet is probed for IP address and user information. The entry remains in pending state until a response is received from the probe. |
Manual probing | Manual probing is used to verify and troubleshoot the online
status of a user or a range of users, and is at the discretion of
the system administrator. To initiate a manual probe, use the Note:
Manual probing can cause entries to be removed from the Active Directory authentication table. For example, if there is no response from your PC due to a network issue, such as when the PC is too busy, the IP address entry of the PC is marked as invalid and your access is blocked. |
If the device cannot access a domain PC for some reason, such as a network configuration or Windows firewall issue, the probe fails.
Probe Response
Based on the domain PC probe response, updates are made to the Active Directory authentication table, and associated firewall policies take effect. If no response is received from the probe after 90 seconds, the authentication entry times out. The timed-out authentication entry is the pending state authentication entry, which is generated when you start the PC probe.
If the probe is successful, the state of the authentication entry is updated from pending to valid. If the probe is unsuccessful, the state of the authentication entry is marked as invalid. The invalid entry has the same lifetime as a valid entry and is overwritten by upcoming fwauth (firewall authentication process) authentication results or by the event log. Table 1 lists probe responses and corresponding authentication table actions.
Probe Response from Domain PC |
Active Directory Authentication Table Action |
---|---|
Valid IP address and username |
Add IP-related entry. |
Logged on user changed |
Update IP-related entry. |
Connection timeout |
Update IP-related entry as invalid. |
Access denied |
Update IP-related entry as invalid. |
Connection refused |
Update IP-related entry as invalid. |
Authentication failed (The configured username and password have no privilege to probe the domain PC.) |
Update IP-related entry as invalid. |
Probe Configuration
On-demand probing is enabled by default. To disable on-demand
probing, use the set services user-identification active-directory-access
no-on-demand-probe
statement. Delete this statement to reenable
probing. When on-demand probing is disabled, manual probing is available.
The probe timeout value is configurable. The default timeout is 10 seconds. To configure the timeout value, use the following statement:
user@host# set services user-identification active-directory-access wmi-timeout seconds
If no response is received from the domain PC within the wmi-timeout
interval, the probe fails and the system either
creates an invalid authentication entry or updates the existing authentication
entry as invalid. If an authentication table entry already exists
for the probed IP address, and no response is received from the domain
PC within the wmi-timeout
interval, the probe fails and
that entry is deleted from the table.
To probe domain PCs, you must configure the integrated user firewall feature with the username and password credentials. You do not necessarily need a username and password account for each PC; instead you could set up one administrator account with privileges to access information on multiple PCs.
Probe Rate and Statistics
The maximum probe rate for the integrated user firewall feature is set by default and cannot be changed. For SRX 5400, SRX 5600, and SRX 5800 devices, the probe rate is 600 times per minute. For branch SRX Series Firewalls, the probe rate is 100 times per minute. Probe functionality supports 5000 users, or up to 10 percent of the total supported authentication entries, whichever is smaller. Supporting 10 percent means that at any time, the number of IP addresses waiting to be probed cannot exceed 10 percent. For more information about the number of supported Active Directory authentication table entries, see Understanding Active Directory Authentication Tables.
High-level statistics covering probe activity are available
for the total number of probes and the number of failed probes. Table 1 describes the reasons for probe
failures. To display probe statistics, use the show services
user-identification active-directory-access statistics ip-user-probe
command.
user@host> show services user-identification active-directory-access statistics ip-user-probe Domain: www.example1.net Total user probe number : 176116 Failed user probe number : 916 Domain: www.example2.net Total user probe number : 17632 Failed user probe number : 342