https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222537#M63991 <P>In an agent based user-id deployment the UIA queries&nbsp;the defined DC and collects all the logs which are new since the last update interval and discards&nbsp; all but the required event IDs for user-ID mappings.</P><P>&nbsp;</P><P>In an agentless deployment the firewall only collects the necessary event IDs for user-ID mapping.</P><P>&nbsp;</P><P>I also thought there was some increased capabilities with syslog collection functionality (I can be wrong here.)</P><P>&nbsp;</P><P>I'm also not sure about agent-less' ability&nbsp;to employ credential guard protections.&nbsp; Which IMO is a requirement for deployment for anyone with a Palo firewall.&nbsp; Granted getting it deployed is a PITA and extremely quirky.</P><P>&nbsp;</P><P>If I had my choice I'd go with an agent based deployment.&nbsp;</P> Tue, 17 Jul 2018 13:56:08 GMT Brandon_Wertz 2018-07-17T13:56:08Z https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222123#M63893 <P>Hello,</P><P>&nbsp;</P><P>We have 500 users on site and currently using Agentless User-ID with PANOS 7.1.7</P><P>&nbsp;</P><P>We are thinking of scaling up to Agent based.&nbsp;</P><P>&nbsp;</P><P>Can someone please guide me to a link/article that discusses the Pros and Cons of both?&nbsp;</P><P>What are the common issues one facing with Agent based? Are there any limitations? etc.</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks in advance!</P> Fri, 13 Jul 2018 06:13:20 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222123#M63893 Farzana 2018-07-13T06:13:20Z https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222434#M63973 <P>Hello,</P><P>I cant recall a pro vs con page that goes into this. Its one of those 'its your preference' things. With using agents all you are doing is offloading that aspect of the firewall to a server so you can free up some resources on the firewall, not many. We did it because we have the firewall emailing us of any high or critical events and we got spammed due to the failures, it was a WMI collision and we tried increasing resources and couldnt find a solution. Otherwise they were working the same, e.g. identifying users, etc.</P><P>&nbsp;</P><P>Regards,</P> Mon, 16 Jul 2018 21:41:11 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222434#M63973 OtakarKlier 2018-07-16T21:41:11Z https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222439#M63977 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/45418">@Farzana</a>,</P><P>Biggest thing is going to be that with the agentless method the constant log queries on the domain controller can be resource intensive for those servers, the resources required by the firewall to monitor the logs are actually pretty low. That being said&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;is correct, it's really a personal preference thing.&nbsp;</P><P>&nbsp;</P> Mon, 16 Jul 2018 22:01:15 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222439#M63977 BPry 2018-07-16T22:01:15Z https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222537#M63991 <P>In an agent based user-id deployment the UIA queries&nbsp;the defined DC and collects all the logs which are new since the last update interval and discards&nbsp; all but the required event IDs for user-ID mappings.</P><P>&nbsp;</P><P>In an agentless deployment the firewall only collects the necessary event IDs for user-ID mapping.</P><P>&nbsp;</P><P>I also thought there was some increased capabilities with syslog collection functionality (I can be wrong here.)</P><P>&nbsp;</P><P>I'm also not sure about agent-less' ability&nbsp;to employ credential guard protections.&nbsp; Which IMO is a requirement for deployment for anyone with a Palo firewall.&nbsp; Granted getting it deployed is a PITA and extremely quirky.</P><P>&nbsp;</P><P>If I had my choice I'd go with an agent based deployment.&nbsp;</P> Tue, 17 Jul 2018 13:56:08 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222537#M63991 Brandon_Wertz 2018-07-17T13:56:08Z https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222556#M63997 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a>,</P><P>I don't think that you actually have any limitations with the syslog collection when using the agentless; it is a tad bit harder generally to verify everything is working however.&nbsp;</P><P>I believe that the only time that you actually need to utilize the User-Agent&nbsp;is if you decide to use the domain credential method. This would require that you are actually using the agent instead of agentless; as the agentless method can't validate whether a valid password was being used.&nbsp;</P><P>I'm personally not really a fan of domain credential filter as it would only detect when a user is submitting both a valid username and password and that the user logged into the source-ip matches those credentials. My thought process on this method is that I would rather know if any valid user-id is being submitted, regardless if the password is valid or if it matches the mapped source-user.&nbsp;</P> Tue, 17 Jul 2018 16:06:57 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222556#M63997 BPry 2018-07-17T16:06:57Z https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222558#M63999 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;wrote:<BR /><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a>,</P><P>&nbsp;</P><P>I'm personally not really a fan of domain credential filter as it would only detect when a user is submitting both a valid username and password and that the user logged into the source-ip matches those credentials. My thought process on this method is that I would rather know if any valid user-id is being submitted, regardless if the password is valid or if it matches the mapped source-user.&nbsp;</P><HR /></BLOCKQUOTE><P>&nbsp;</P><P>&nbsp;</P><P>You can do either type deployment...The more broad deployment will block known IP to known user ID without regard for a valid password.</P><P>&nbsp;</P><P>The reason for not blocking this is you can't necessarily control if a user, however stupidly, decides to user their domain user ID for some Internet based hosted service.&nbsp; At my company a lot of people user this ID for company driven cloud/Internet based services.&nbsp; (We're in the process of whitelisting these sites.)</P><P>&nbsp;</P><P>I actually like the "domain credential filter" because it's less intrusive and is more specific to what we're trying to block.&nbsp; However the idiocrincies to get this to work makes it really difficult to get deployed.</P> Tue, 17 Jul 2018 16:15:13 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-vs-agent-based-user-id/m-p/222558#M63999 Brandon_Wertz 2018-07-17T16:15:13Z