How to set up Active Directory user ID?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to set up Active Directory user ID?

L0 Member

Hello,

I am new the Palo Alto networks firewall device (model PA-500).  I have it deployed in my environment but am just letting it pass all traffic right now; I want to get a handle on the traffic before I start limiting things.  In any case, I would like to have the PA-500 identify AD users and groups for our domain.  I've tried to research this and saw a bit about a user ID agent, but I'm not quite understanding if this is necessary or not.  So my questions are:

- Can the PA-500 communicate directly with my domain controllers and therefore eliminate the need for a user ID agent?

- If the user ID agent is needed, do I just need to install this on one computer (i.e. one of my DCs) or is this needed on each client PC? This agent has to run continuously for user ID to work?

I know these are basic questions, but most of the material I've seen on this is really about installing the user ID agent and not about in what situations it is needed.  Thank you in advance.

1 accepted solution

Accepted Solutions

L4 Transporter

Hey there,

Yes, the PAN Agent is required to see UserID's in the logs and to be able to set policy by UserID.  Make sure to install the correct PAN Agent as there are a couple now with the latest versions (one for LDAP and one for AD).  You can also use the Terminal Services Agent in conjunction with the PAN Agent to get UserID mappings on a Citrix or Terminal server.

Most customers install a single agent on a Windows member server that is configured to talk to their Domain Controllers.  The firewall is configured to communicate with the Agent.  Some customers choose to install multiple Agents directly on the Domain controllers and the firewall is configured to communicate with all of them.  Both approaches or a combination will work - it just comes down to what is best for your environment.  The Agent does need to run continuously for best results.

Cheers,

Kelly

View solution in original post

5 REPLIES 5

L4 Transporter

Hey there,

Yes, the PAN Agent is required to see UserID's in the logs and to be able to set policy by UserID.  Make sure to install the correct PAN Agent as there are a couple now with the latest versions (one for LDAP and one for AD).  You can also use the Terminal Services Agent in conjunction with the PAN Agent to get UserID mappings on a Citrix or Terminal server.

Most customers install a single agent on a Windows member server that is configured to talk to their Domain Controllers.  The firewall is configured to communicate with the Agent.  Some customers choose to install multiple Agents directly on the Domain controllers and the firewall is configured to communicate with all of them.  Both approaches or a combination will work - it just comes down to what is best for your environment.  The Agent does need to run continuously for best results.

Cheers,

Kelly

Thank you for the advice, Kelly.  I'm actually surprised that the firewall device does not communicate directly with AD.  Doesn't this design just introduce a point of failure?  If my policies are based around usernames, but the agent stops responding (service down, server is shut down, etc.) will my policies fail open or closed?  I guess I will probably deploy multiple agents to minimize this possibility.

Thank you again!

Using multiple Agents is best practice for high availability for UserID.

The use of agents helps to offload the userid to IP mapping from the control plane of the firewall.  In this way the agent processes the mapping information into a table which is sent to the firewall.  This both minimizes the work the firewall needs to do and also can reduce the amount of traffic the firewall is sending and receiving.  Another issue, especially for AD integration, is that an Agent running on a Windows member server allows the use of native Windows API's to access the user to IP mapping information.  This makes integration much more seamless since the authentication needed to query this data is provided by the service account configured on the Domain, which is a naive Windows function.

Cheers,

Kelly

How does one install multiple agents on the SAME controller?

With "multiple agents"  it was meant that they are installed on different boxes. Smiley Wink So that when one box dies the other can take over...

Mike

  • 1 accepted solution
  • 5233 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!