In my environment, we have several domain controllers around the world across MPLS. In order for users to go out to the internet, they must have an AD account in a certain AD group. This seems to work just fine....but recently we've had a few issues where the user will lose connection to the internet. When we look in the logs, the user's User ID is no longer sent. About 5-10 minutes later all is back to normal. We have about 15 domain controllers under User Mapping > Server Monitoring. I have a feeling one of them has some issue.
Either way, what is the typical recommendation others have....does the Agentless work better in multi-domain controller environments across the world or does a User-ID Agent make better sense. According to Palo....User-ID Agent is the recommendation.
yes for sure, as @BPry suggested. User-ID agents would be best in your enviroment but not sure if this would resolve your suspected server issue...
This may just be an issue with your "user identification timeout" setting.
what is this currently set to... we use 24 hours but others that have previously posted prefer 4 to 8 hours
As @MickBall suggested the actual method you use does not seem to change something with your issue. The must be something wrong on one of these servers or with the configured timeout.
But regarding the actual topics question: ( @BPry@MickBall please correct me if I am totally wrong here) In this case (highly distributed single forest domain) I would also prefer to use the agentless method because of low complexity (at least no added complexity with the log forwarding from DC to log server where the UIA reads the logs) and also because of low bandwith consumption over the MPLS links because the firewall only reads the required log events (compared to having the UIA connecting directly to all DC where it must parse the whole security log and not just the required events). Depending on the actual amount of users, whitch has an impact on the mgmt CPU, I would stay with the agentless solution. And as it is already set up I assume there aren't any problems with high mgmt CPU utilization.
Hi, @vsys_remo, noted... Good post...
for me it's an eva iva choice, difficult as not knowing the full picture.
My assumption was based on a UID agent at each domain location, I would therefore assume only updates were sent from the agent to the PA.
I must admit I do not know the full ins and outs of agents but I based my current setup on what was best for me going by the PAN docs.
Thanks for the detailed post, very helpful...
on that note,,, can I just say that I quite enjoy having the agents, autodiscover works well and liking the search option in the GUI. not everyones cup of tea.......
It seems that a few years back, the configuration/setup for User-ID agents was a bit "flaky". This is why the administrators back then decided to switch to agentless. It appears that agentless has been running just fine for 2+ years. As @BPry mentioned...this is the recommendation from Palo to have User-ID agent running. We might look into that again, but the setup itself and logistics will take a bit to go through. @MickBall mentioned the User Identification Timeout...mine is 45 minutes.
Yeah, the servers around the world seem to be fine, when it comes to CPU. One thing I might do is the Palo units are sitting in the US (where the egress to the internet is for all users around the world, for now). I might just exclude most of the other servers and limit them to the US DCs only, where the Palos reside.
That's a good point, and I likely would have followed the same deployment method as you did a few years ago because of the issues I was having with the User-ID agents back then. I can safetly say however that the User-ID agents have gotten a heck of a lot better and more stable in that time.
Depending on your actual enviroment and what exactly you are montioring 45 minutes for a timeout value is pretty low. Unless you have a lot of shared user locations, I would highly recommend bumping that up a little bit and seeing if that doesn't solve your issue. You could have your User-ID mapping aging out, which would definetly cause the issue you are describing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!