In my environment, we have several domain controllers around the world across MPLS. In order for users to go out to the internet, they must have an AD account in a certain AD group. This seems to work just fine....but recently we've had a few issues where the user will lose connection to the internet. When we look in the logs, the user's User ID is no longer sent. About 5-10 minutes later all is back to normal. We have about 15 domain controllers under User Mapping > Server Monitoring. I have a feeling one of them has some issue.
Either way, what is the typical recommendation others have....does the Agentless work better in multi-domain controller environments across the world or does a User-ID Agent make better sense. According to Palo....User-ID Agent is the recommendation.
yes for sure, as @BPry suggested. User-ID agents would be best in your enviroment but not sure if this would resolve your suspected server issue...
This may just be an issue with your "user identification timeout" setting.
what is this currently set to... we use 24 hours but others that have previously posted prefer 4 to 8 hours
As @MickBall suggested the actual method you use does not seem to change something with your issue. The must be something wrong on one of these servers or with the configured timeout.
But regarding the actual topics question: ( @BPry@MickBall please correct me if I am totally wrong here) In this case (highly distributed single forest domain) I would also prefer to use the agentless method because of low complexity (at least no added complexity with the log forwarding from DC to log server where the UIA reads the logs) and also because of low bandwith consumption over the MPLS links because the firewall only reads the required log events (compared to having the UIA connecting directly to all DC where it must parse the whole security log and not just the required events). Depending on the actual amount of users, whitch has an impact on the mgmt CPU, I would stay with the agentless solution. And as it is already set up I assume there aren't any problems with high mgmt CPU utilization.
Hi, @vsys_remo, noted... Good post...
for me it's an eva iva choice, difficult as not knowing the full picture.
My assumption was based on a UID agent at each domain location, I would therefore assume only updates were sent from the agent to the PA.
I must admit I do not know the full ins and outs of agents but I based my current setup on what was best for me going by the PAN docs.
Thanks for the detailed post, very helpful...
on that note,,, can I just say that I quite enjoy having the agents, autodiscover works well and liking the search option in the GUI. not everyones cup of tea.......
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!