https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27804#M20272 <HTML><HEAD></HEAD><BODY><P>No one from Palo Alto yet.&nbsp; I will work on rounding someone up.&nbsp; What I have been told is. . . </P><P></P><P class="p1">USER-ID Update</P><P class="p1">It is no longer necessary to use windows machine for one AD server</P><P class="p1">It is best practice to setup filters to only enumerate groups that will be used in a policy - groups are ONLY used to create policy.</P><P class="p1">The (windows) agent can still be used to check in with multiple AD servers.&nbsp; As you probably know, it looks for kerberos tickets and also polls via Netbios or WMI to see if anyone has moved.</P><P class="p1">Also, it is suggested to use agent if you don't want to use the control plane of the firewall for additional processing.</P><P class="p1"></P><P class="p1">Hope that helps a little for now. . .</P></BODY></HTML> Thu, 28 Feb 2013 12:58:18 GMT cindyb 2013-02-28T12:58:18Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27798#M20266 <HTML><HEAD></HEAD><BODY><P>I have read the tech article "<SPAN style="font-size: 10pt; line-height: 1.5em;">How to Configure Agentless User-ID in PAN- OS 5.0.x"</SPAN></P><P></P><P>I'd love to see this document broken into two docs - one that I can send out to customers to prepare for POC - the AD user account setup portion without the PAN firewall config portion . . . does this already exist somewhere?</P></BODY></HTML> Tue, 26 Feb 2013 17:41:26 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27798#M20266 cindyb 2013-02-26T17:41:26Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27799#M20267 <HTML><HEAD></HEAD><BODY><P>While on the subject: May have been asked before, but what are the advantages/disadvantages of going agentless vs with agent.</P><P>How do they compare in terms of reliability (user to ip mapping integrity), performance ?</P><P>What does PA recommend ?</P></BODY></HTML> Wed, 27 Feb 2013 13:55:12 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27799#M20267 dieter_b 2013-02-27T13:55:12Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27800#M20268 <HTML><HEAD></HEAD><BODY><P>At the Ignite conference they talked about the fact that they were able to make the agentless User-ID process very efficient.&nbsp; Apparently the process is much faster at identifying when a new domain user, or exchange user, logs in.&nbsp; I suppose it would be handy to have one less piece in the puzzle as well.</P><P>Bob</P></BODY></HTML> Wed, 27 Feb 2013 15:33:23 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27800#M20268 BobW 2013-02-27T15:33:23Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27801#M20269 <HTML><HEAD></HEAD><BODY><P>Where did you find this tech article? I searched and can't locate it.</P><P></P><P>M</P></BODY></HTML> Wed, 27 Feb 2013 22:55:44 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27801#M20269 charger 2013-02-27T22:55:44Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27802#M20270 <HTML><HEAD></HEAD><BODY><P>The article can be located here - <A href="https://live.paloaltonetworks.com/docs/DOC-4332">How to Configure Agentless User-ID in PAN-OS 5.0.x</A></P><P></P><P>Personally if I only wanted the customer to setup the user account on the domain and not see the firewall configuration I would write my own version of this with own screenshots so then I could put my own company's branding on the document. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Wed, 27 Feb 2013 23:11:36 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27802#M20270 SCoupland 2013-02-27T23:11:36Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27803#M20271 <HTML><HEAD></HEAD><BODY><P>Anyone with PAN to confirm this ?</P></BODY></HTML> Thu, 28 Feb 2013 07:15:50 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27803#M20271 dieter_b 2013-02-28T07:15:50Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27804#M20272 <HTML><HEAD></HEAD><BODY><P>No one from Palo Alto yet.&nbsp; I will work on rounding someone up.&nbsp; What I have been told is. . . </P><P></P><P class="p1">USER-ID Update</P><P class="p1">It is no longer necessary to use windows machine for one AD server</P><P class="p1">It is best practice to setup filters to only enumerate groups that will be used in a policy - groups are ONLY used to create policy.</P><P class="p1">The (windows) agent can still be used to check in with multiple AD servers.&nbsp; As you probably know, it looks for kerberos tickets and also polls via Netbios or WMI to see if anyone has moved.</P><P class="p1">Also, it is suggested to use agent if you don't want to use the control plane of the firewall for additional processing.</P><P class="p1"></P><P class="p1">Hope that helps a little for now. . .</P></BODY></HTML> Thu, 28 Feb 2013 12:58:18 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-with-pan5-x-ad-configuration/m-p/27804#M20272 cindyb 2013-02-28T12:58:18Z