For security compliance purposes, customers may want to apply additional limitations on the Palo Alto Networks account that is used to collect logs from the Domain Controller. One of the features of the Windows Active Directory is to use the Logon Workstation list.
Issue
Enabling the Logon Workstation list in the Windows Active Directory will deny the user access to DC1.
Resolution
Since the Palo Alto Networks firewall is not a member of the Active Directory, per Microsoft design it is necessary to add the hostnames of all the firewalls that will be using this account to connect.