Best Practices for Agentless UserID in Multiple Domain Environment?

Reply
Abs
L3 Networker

Best Practices for Agentless UserID in Multiple Domain Environment?

Hi,

I'm about to install two PA5060s in high availability and I am wondering if you guys have any best practice tips for this kind of install when it comes to UserID and how to add more than one domain to the Agentless install.

Alex

(Now shamelessly accepting the next 72 friend requests.)

L4 Transporter

Re: Best Practices for Agentless UserID in Multiple Domain Environment?

Alex,

There is no Best Practice, due to the many different ways that networks are designed these days. The one item to consider is the service account that is used for the WMI Authentication on the Domain controllers you specify in the Server Monitoring section. This account will need to be a member of the Distributed COM Users, Server Operators, and Event Log Readers groups, as well as have correct CIMV2 security properties on each AD server the firewall connects to. In a multiple domain environment, this can be achieved by adding the service account to the Enterprise Admins group (if in the same forest) or by adding the user to each required group in each domain and ensuring the proper trust is in place. Please see How to Configure Agentless User-ID in PAN-OS 5.0.x for assistance configuring the Agentless User-ID.

Ben

L4 Transporter

Re: Best Practices for Agentless UserID in Multiple Domain Environment?

Good to hear, I figured in the end it would come down to service account permissions.

Ben

Highlighted
L4 Transporter

Re: Best Practices for Agentless UserID in Multiple Domain Environment?

if without trust relationship between different domain you should switch to use one user-id agent install on each domain

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!