topic Re: User-ID on-box Best Practice in General Topics

User-ID on-box Best Practice

djr — Fri, 22 Feb 2013 18:31:27 GMT

Hi,

Can anyone clarify for me what the best practice recommendations are for the User-ID agent? Prior to V5 it was clear that they should ideally run on the domain controllers or servers close to them. However with the option of running on-box, is this now the preferred option, are there any limitations or side-effects of doing so?

Thanks

Re: User-ID on-box Best Practice

gafrol — Fri, 22 Feb 2013 19:21:29 GMT

I would not recommend to use the new agentless UID approach yet,

- AD User Accounts with Umlaut characters cannot be excluded (Support case is already open)

- It seems networks cannot be excluded from user ip mapping neither -- > https://live.paloaltonetworks.com/thread/6903

I had some strange behaviour with the agentless setup but which I could not reproduce in the lab.

I would recommend to stick with the UID Agent for now. Just my two cents.

Re: User-ID on-box Best Practice

sjamaluddin — Sat, 23 Feb 2013 01:02:18 GMT

The reason the recommendation was to run the UserID agent on a domain contoller was that the communication between the domain controller and the UserID agent is very chatty. That's why to keep that chattiness local the USERID Agent was expected to run on the domain controller itself.

If you now run the Agentless UserID on the firewall itself, you'd still see the chattiness between the PAN firewall and the domain contollers so that may be something to consider.

Re: User-ID on-box Best Practice

mgp — Mon, 25 Feb 2013 10:40:21 GMT

I try to use agentless with 5.0.2 but it make management server is very high. Use for 1000 users.

Already open case and switch to software agent if the user is big.

Re: User-ID on-box Best Practice

jochristian — Mon, 25 Feb 2013 12:07:54 GMT

Hello,

There is a bug in 5.0.2 making the useridd process use 100%+ cpu. For now you should either downgrade to 5.0.1 or wait for 5.0.3 that will probably be out next week 🙂

BTW, the bug also impacts the software agent.

Jo Christian

Re: User-ID on-box Best Practice

bjackson — Thu, 28 Mar 2013 00:49:55 GMT

Had the same issue with 5.0.2 and the 100% CPU Utilization. Moved to 5.0.3 when it was released and experienced similar issues and was told that we should wait to 5.0.4 so I suggest that you move to 5.0.1, have been running that code for almost a week now and seems alot more stable.

Re: User-ID on-box Best Practice

bjackson — Mon, 13 May 2013 23:57:23 GMT

Just an update, Currently running 5.0.4 due to some other bugs that were in 5.0.1. It feels stable but I have only been running this version for about a week now and I am aware that there are a few bugs that may affect our deployment but its the best we can do while we wait for 5.0.5 to be released.