This week, I would like to highlight a discussion where community member @IMTechSupport asked about the pros and cons of having a Windows-based user-ID agent versus an agentless (PAN-OS integrated) user-ID.
@BPryand @TomYoung immediately jumped to the rescue providing some pros and cons of each solution and adding some use-case examples on why they prefer one solution above the other.
Here are some pros, cons and considerations to make while choosing between agent or agentless UID:
Agentless advantages primarily focus on the fact that you don't need to worry about installing and managing an agent on another server. You can simply set up the configuration and permissions on the firewall; you can manage everything directly from there. You needn't worry about giving the firewall admin direct access to the server that's running the user-ID agent, as they will manage everything directly from the firewall.
If the firewall is already heavily loaded and you have a lot of DCs to query, then agentless UID might not be the ideal solution. In this case, using a user-ID agent will offload some processing from the firewall.
If you have DCs spread across the world and have the agentless user-ID sending traffic across the WAN links, probing them might not be ideal. In this case you might want to consider installing an agent in each remote location limiting the WAN traffic.
Domain Credential Filter detection enables the firewall to detect passwords submitted to web pages. This credential detection method requires the Windows User-ID agent and the User-ID credential service—an add-on to the User-ID agent—to be installed on a read-only domain controller (RODC).
Can you think of other considerations or pros/cons that I haven't mentioned? Please share them in the comments section below or go check out the original post and join the discussion: Windows-Based Agent vs Integrated PAN-OS Agent.
You install the user-ID agent on a domain server that is running a supported operating system (OS) and then connect the user-ID agent to exchange or directory servers. Make sure you check our compatibility matrix to confirm where you can install the agent, which servers the agent can monitor and where you can install the user-ID credential service.
I would also like to take the time and highlight our user-ID technology page on LIVEcommunity, your one-stop shop for all documentation, videos, discussions, and more related to Palo Alto Networks' User-ID feature.
Additional information and discussions on the same topic: