User-ID resource list

Printer Friendly Page

Overview

 

The following table provides a list of valuable resources on configuring and troubleshooting User-ID:

 

TITLE DESCRIPTION TYPE
BASIC    
Agentless User-ID agent Configuration Video
User-ID agent setup tips Configuration Document
How to install the Palo Alto Networks User-ID agent Configuration  Document
How to configure active directory server profile for group-mapping and authentication Configuration Document
User-ID best practices Configuration 

Document

How to configure group mapping settings Configuration

Document

Architecting User-ID deployments Configuration Document
How to configure eDirectory and LDAP authentication Configuration Document
How to configure group-mapping in a multi-domain active directory domain services (AD DS) forest Configuration Document
How to install and configure terminal server agent Configuration Document
How to collect the User-IP mappings from a Syslog sender using a User-ID agent Configuration Document 
User-ID agent as LDAP proxy for group-mapping and authentication Configuration Document 
Correct group and IP to user-mapping in multi-domain AD forest using global catalog Configuration Document
INTERMEDIATE    
Best practices for securing User-ID deployments Configuration Document
How to check users in LDAP groups Troubleshooting Document
Unknown user for User-ID IP-User mapping cache timers Troubleshooting Document
IP-to-User mappings have inconsistent domain prefix Troubleshooting Document
User-ID agent access control list Configuration Document
How to determine the NetBIOS domain for LDAP server profile in Windows 2003 and 2008 server Configuration Document
Improve LDAP authentication during disaster recovery Configuration Document
ADVANCED    
Agentless User-ID 'access denied' error in server monitor Troubleshooting Document
Troubleshooting User-ID: Group and User-to-IP mapping Troubleshooting Document
Agentless User-ID connection to active directory servers intermittently connect and disconnect Troubleshooting Document
Useful CLI Commands for troubleshooting User-ID agent software Troubleshooting Document
Unexpected traffic seen from the User-ID agent Troubleshooting Document
Which login credentials does Palo Alto Networks User-ID agent see when using RDP? Troubleshooting Document
How the User-ID agent include/exclude list works Configuration Document
How to upgrade User-ID agent Configuration Document
User-IP mappings not redistributed from collector Troubleshooting Document
Why are some users not identified by the User-ID agent? Troubleshooting Document
Terminal Server Agent Registry Tuning for Better Port Allocation and Handling, Time Wait State Troubleshooting Document
How to Create Ignore_User_List with Special Characters in User-ID Agent Troubleshooting Document
DISCUSSION BOARDS    

PAN AD Useragent - Excluding users?

Configuration Discussion

 

Note: If you have a suggestion for an article, video or discussion not included in this list please post a recommendation in the comments below and it will be added to the master list.

 

owner: ekampling

Comments

Very helpful!

Very helpful. Thank you!

For tuning of terminal server clients the following article is also beneficial. https://live.paloaltonetworks.com/t5/Configuration-Articles/Terminal-Server-Agent-Registry-Tuning-fo...

Thanks for the links @benparker and @anjain, I have updated the list to reflect the new links.

Links need to be updated.  For example "How to Configure Active Directory Server Profile for Group Mapping and Authentication" is from 2012 and contains pics that are no longer relevant.  Please update.

Hi @chris_phillips 

 

Thanks for your notification! I've updated the screenshots in that article to reflect PAN-OS 7.1

Hey,

 

I would very much like more information on the client probing, specfiically things like:

How to test/validate? (relevent logs?)

Functions or commands to pull user information from endpoint/system?

Permissions required (in ad)?

Concerns of security (2014 saw issues) and how to mitigate?

Why is the * only in the show user-mapping-ip-mp and not user-mapping-ip?

For those looking for more details on creating a User-ID Specific service account, I recommend the following documentation link. https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/create-a-dedicated-service-a.... It contains the recommendations as well as reasons and caveats for the different permissions based on what you are trying to accomplish.