Best Practices for Agentless UserID in Multiple Domain Environment?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Best Practices for Agentless UserID in Multiple Domain Environment?

L3 Networker

Hi,

I'm about to install two PA5060s in high availability and I am wondering if you guys have any best practice tips for this kind of install when it comes to UserID and how to add more than one domain to the Agentless install.

Alex

(Now shamelessly accepting the next 72 friend requests.)

1 accepted solution

Accepted Solutions

L4 Transporter

Alex,

There is no Best Practice, due to the many different ways that networks are designed these days. The one item to consider is the service account that is used for the WMI Authentication on the Domain controllers you specify in the Server Monitoring section. This account will need to be a member of the Distributed COM Users, Server Operators, and Event Log Readers groups, as well as have correct CIMV2 security properties on each AD server the firewall connects to. In a multiple domain environment, this can be achieved by adding the service account to the Enterprise Admins group (if in the same forest) or by adding the user to each required group in each domain and ensuring the proper trust is in place. Please see How to Configure Agentless User-ID in PAN-OS 5.0.x for assistance configuring the Agentless User-ID.

Ben

View solution in original post

3 REPLIES 3

L4 Transporter

Alex,

There is no Best Practice, due to the many different ways that networks are designed these days. The one item to consider is the service account that is used for the WMI Authentication on the Domain controllers you specify in the Server Monitoring section. This account will need to be a member of the Distributed COM Users, Server Operators, and Event Log Readers groups, as well as have correct CIMV2 security properties on each AD server the firewall connects to. In a multiple domain environment, this can be achieved by adding the service account to the Enterprise Admins group (if in the same forest) or by adding the user to each required group in each domain and ensuring the proper trust is in place. Please see How to Configure Agentless User-ID in PAN-OS 5.0.x for assistance configuring the Agentless User-ID.

Ben

L4 Transporter

Good to hear, I figured in the end it would come down to service account permissions.

Ben

L4 Transporter

if without trust relationship between different domain you should switch to use one user-id agent install on each domain

  • 1 accepted solution
  • 6582 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!