topic Re: Best Practices for Agentless UserID in Multiple Domain Environment? in General Topics

Best Practices for Agentless UserID in Multiple Domain Environment?

Abs — Tue, 05 Mar 2013 14:41:47 GMT

Hi,

I'm about to install two PA5060s in high availability and I am wondering if you guys have any best practice tips for this kind of install when it comes to UserID and how to add more than one domain to the Agentless install.

Alex

(Now shamelessly accepting the next 72 friend requests.)

Re: Best Practices for Agentless UserID in Multiple Domain Environment?

bnelson — Tue, 05 Mar 2013 17:30:49 GMT

Alex,

There is no Best Practice, due to the many different ways that networks are designed these days. The one item to consider is the service account that is used for the WMI Authentication on the Domain controllers you specify in the Server Monitoring section. This account will need to be a member of the Distributed COM Users, Server Operators, and Event Log Readers groups, as well as have correct CIMV2 security properties on each AD server the firewall connects to. In a multiple domain environment, this can be achieved by adding the service account to the Enterprise Admins group (if in the same forest) or by adding the user to each required group in each domain and ensuring the proper trust is in place. Please see How to Configure Agentless User-ID in PAN-OS 5.0.x for assistance configuring the Agentless User-ID.

Ben

Re: Best Practices for Agentless UserID in Multiple Domain Environment?

bnelson — Wed, 06 Mar 2013 17:05:58 GMT

Good to hear, I figured in the end it would come down to service account permissions.

Ben

Re: Best Practices for Agentless UserID in Multiple Domain Environment?

Gregoux — Mon, 20 Jan 2014 17:20:23 GMT

if without trust relationship between different domain you should switch to use one user-id agent install on each domain