03-05-2013 06:41 AM
Hi,
I'm about to install two PA5060s in high availability and I am wondering if you guys have any best practice tips for this kind of install when it comes to UserID and how to add more than one domain to the Agentless install.
Alex
(Now shamelessly accepting the next 72 friend requests.)
03-05-2013 09:30 AM
Alex,
There is no Best Practice, due to the many different ways that networks are designed these days. The one item to consider is the service account that is used for the WMI Authentication on the Domain controllers you specify in the Server Monitoring section. This account will need to be a member of the Distributed COM Users, Server Operators, and Event Log Readers groups, as well as have correct CIMV2 security properties on each AD server the firewall connects to. In a multiple domain environment, this can be achieved by adding the service account to the Enterprise Admins group (if in the same forest) or by adding the user to each required group in each domain and ensuring the proper trust is in place. Please see How to Configure Agentless User-ID in PAN-OS 5.0.x for assistance configuring the Agentless User-ID.
Ben
03-05-2013 09:30 AM
Alex,
There is no Best Practice, due to the many different ways that networks are designed these days. The one item to consider is the service account that is used for the WMI Authentication on the Domain controllers you specify in the Server Monitoring section. This account will need to be a member of the Distributed COM Users, Server Operators, and Event Log Readers groups, as well as have correct CIMV2 security properties on each AD server the firewall connects to. In a multiple domain environment, this can be achieved by adding the service account to the Enterprise Admins group (if in the same forest) or by adding the user to each required group in each domain and ensuring the proper trust is in place. Please see How to Configure Agentless User-ID in PAN-OS 5.0.x for assistance configuring the Agentless User-ID.
Ben
03-06-2013 09:05 AM
Good to hear, I figured in the end it would come down to service account permissions.
Ben
01-20-2014 09:20 AM
if without trust relationship between different domain you should switch to use one user-id agent install on each domain
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
