topic User-ID Agent or Agentless User-ID in General Topics

User-ID Agent or Agentless User-ID

bmodi — Wed, 29 Jan 2014 02:12:10 GMT

What is the difference between User-ID Agent and Agentless User-ID? Why would I use one over the other?

Re: User-ID Agent or Agentless User-ID

sraghunandan — Wed, 29 Jan 2014 02:36:21 GMT

similar discussion

https://live.paloaltonetworks.com/message/23631#23631

Re: User-ID Agent or Agentless User-ID

HULK — Wed, 29 Jan 2014 03:01:34 GMT

Adding few more related discussions:

User-ID Best Practices document?

User Identification Tech Note PAN-OS 4.1

best practice User-ID strategy?

UserID

Installation and Provisioning of the User Agent

Thanks

Re: User-ID Agent or Agentless User-ID

sjamaluddin — Sat, 26 Jul 2014 07:45:39 GMT

One would user UserID agent - if you have a distributed DC set up - across multiple WAN locations. That way you can run the UseriD Agent on each DC at the remote location and keep their chatter local.

Then only send the filtered (specific IP to user mappings) across the WAN to a head end firewall.

If however, you'd like to keep everything under one administrator groups's control (sometimes server folks and network folks have trouble sharing info.), then it may be easier to simply run the UserID agentless on the firewall. That way, only the access to AD via the LDAP admin account will be needed to have the firewall talk to the DCs. This would be preferred in cases where the DCs and firewall are all local and there is no WAN link to cross.

Re: User-ID Agent or Agentless User-ID

pulukas — Sat, 26 Jul 2014 12:02:50 GMT

The basic difference between agent and agentless is as follows:

User-id agent installs on a windows computer and collects the user to ip mappings for forwarding to the firewall
Agentless user-id runs on the firewall and queries the windows servers to retrieve the user to ip mapping information

User-id agent can install multiple ways

Install directly on the domain controller for each one and collect local data
Install on one computer and query data from multiple domain controllers from this location

General considerations:

each domain controller in your AD domain has local only copies of the login mappings you need so all must participate in user-id in some way
If you have a lot of processing on the firewall and a lot of domain controllers then agentless user-id may not be practical
If your AD computers are spread around multiple WAN links the traffic generated by agentless user-id may be problematic

the best source for the gory details is the User-id Best practices documentation.

User-ID Best Practices - PAN-OS 5.0, 6.0