If the security organization would like to use Palo Alto Networks firewall features for tracking user behavior in a more meaningful way, that alone should be enough to get cooperation from all Domain Admins. PAN User-ID Agent should be given an account to use which has read-only access to Active Directory (and PAN Terminal Services Agent similiarly provides visibility into users in Terminal Server/Citrix world). The agents open up security and audit logs in ways that match traffic to users and systems: if users want exceptions to policies for example, a prerequisite in my opinion is full participation in PAN User-ID Agent (e.g. hand over an account with Domain Admin privilege)
If the organization is mature and deeply ties together relevent security logs from all systems (A/V, VPN, AD, IPS, etc.) and if their response and interpretation of tools and alerts is superior, then there might not be as pressing a need. But organiations with shared resources, informal (or formal) SLA's and big personallities? They need the best possible Palo Alto Networks firewall experience if they know it or not and that begins in my opinion with PAN User-ID Agent (and PAN Terminal Services Agent).
My view is that if performance is not significantly hindered by PAN User-ID Agent (or Terminal Services Agent) there is everything to gain and nothing to lose. On networks where DHCP and NATting is in place, can be a challenge to keep on top of the logs and firewall rules. Modern attacks on our infrastructure as a whole (from the most malicious targeted phishing campaign to the latest Internet time-waster) use porthopping and IP address spoofing to bypass policies. So why wouldn't we want to feed our Palo Alto Networks firewall with the best that Active Directory Domain Controllers can provide us? It's hard enough to track user behavior! People are entitled to their opinions (on how policies are to be enacted and enforced) but the facts cannot be ignored. Tying individual network and firewall designs to actions that users and administrators make on a daily basis is the sweet spot.
I put PAN User-ID Agent right next to SIEM agents (that translate SIDs into English for the permanent/unalterable log) in terms of importance. Both PAN User-ID Agent and SIEM deserve the very best information from Active Directory. Things change in AD very quickly and it's fundamental to IT Governance that the systems that watch our logs and track our policy enforcement are as intellgent as possible.
Does anyone have more compelling and meaninful reasons to advertise to Domain Administrators that they should absolutely want PAN User-ID Agent on all their Domain Controllers? In this fast moving Internet it's more important than ever to maximize investments in security.
Couple of points from your query.
The PA agent does not need to run on a Domain Controller. It can run on any server in the domain - all it needs is a domain account to run as (the agent is a service) which has appropriate rights to the Security audit logs. The exact nature of the rights required is documented, but basically the agent needs audit rights to the security log - which can only be assigned from the domain controller(s) it/themselves on an individual basis.
The main selling point I used in implementing the agent (beside wacking the domain admin over the head with a big stick. :-)) was that the PA was intended to replace one of his most expensive devices (the websense filtering/proxy server), and it simply wouldn't work without the agent installed. if he wanted to save his tens of thousands of dollars a year in maintenance costs for the old web filter, then he needed to install my agent. Enlightened self-interest then encouraged compliance.
When push comes to shove, if you don't have the rights to install the agents yourself (and I infer from yout post you don't), and the AD administrator is intransigent, your only call is to present your case to higher management, and let them fight it out.
You could also point out the improved reporting and diagnostic ability with the agent correctly configured to management - this one is also a big selling point - the sheer visibility of user activity available when the UA is running and reporting correctly to the firewall may get you over the line.
Thank you for the reply-I will focus on making the business case for why PAN User-ID agent makes sense. I will especially hammer on those involved in test networks and systems to demonstrate firsthand with them the new type of visibility Palo Alto can provide. While it's not my direct place to convince Domain Admins to make the responsible choice and implement PAN User-ID agent, I will work on affirmation to those that participate. And attach a stigma to those Domains that refuse to use PAN User-ID agent for any reason... Palo Alto can do a better job pointing out the troubled users and malicious actions when we know more about their activities.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!