I have read the tech article "How to Configure Agentless User-ID in PAN- OS 5.0.x"
I'd love to see this document broken into two docs - one that I can send out to customers to prepare for POC - the AD user account setup portion without the PAN firewall config portion . . . does this already exist somewhere?
At the Ignite conference they talked about the fact that they were able to make the agentless User-ID process very efficient. Apparently the process is much faster at identifying when a new domain user, or exchange user, logs in. I suppose it would be handy to have one less piece in the puzzle as well.
The article can be located here - How to Configure Agentless User-ID in PAN-OS 5.0.x
Personally if I only wanted the customer to setup the user account on the domain and not see the firewall configuration I would write my own version of this with own screenshots so then I could put my own company's branding on the document.
No one from Palo Alto yet. I will work on rounding someone up. What I have been told is. . .
It is no longer necessary to use windows machine for one AD server
It is best practice to setup filters to only enumerate groups that will be used in a policy - groups are ONLY used to create policy.
The (windows) agent can still be used to check in with multiple AD servers. As you probably know, it looks for kerberos tickets and also polls via Netbios or WMI to see if anyone has moved.
Also, it is suggested to use agent if you don't want to use the control plane of the firewall for additional processing.
Hope that helps a little for now. . .
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!