06-18-2010 08:22 AM
Hello,
I am new the Palo Alto networks firewall device (model PA-500). I have it deployed in my environment but am just letting it pass all traffic right now; I want to get a handle on the traffic before I start limiting things. In any case, I would like to have the PA-500 identify AD users and groups for our domain. I've tried to research this and saw a bit about a user ID agent, but I'm not quite understanding if this is necessary or not. So my questions are:
- Can the PA-500 communicate directly with my domain controllers and therefore eliminate the need for a user ID agent?
- If the user ID agent is needed, do I just need to install this on one computer (i.e. one of my DCs) or is this needed on each client PC? This agent has to run continuously for user ID to work?
I know these are basic questions, but most of the material I've seen on this is really about installing the user ID agent and not about in what situations it is needed. Thank you in advance.
06-18-2010 09:01 AM
Hey there,
Yes, the PAN Agent is required to see UserID's in the logs and to be able to set policy by UserID. Make sure to install the correct PAN Agent as there are a couple now with the latest versions (one for LDAP and one for AD). You can also use the Terminal Services Agent in conjunction with the PAN Agent to get UserID mappings on a Citrix or Terminal server.
Most customers install a single agent on a Windows member server that is configured to talk to their Domain Controllers. The firewall is configured to communicate with the Agent. Some customers choose to install multiple Agents directly on the Domain controllers and the firewall is configured to communicate with all of them. Both approaches or a combination will work - it just comes down to what is best for your environment. The Agent does need to run continuously for best results.
Cheers,
Kelly
06-18-2010 09:01 AM
Hey there,
Yes, the PAN Agent is required to see UserID's in the logs and to be able to set policy by UserID. Make sure to install the correct PAN Agent as there are a couple now with the latest versions (one for LDAP and one for AD). You can also use the Terminal Services Agent in conjunction with the PAN Agent to get UserID mappings on a Citrix or Terminal server.
Most customers install a single agent on a Windows member server that is configured to talk to their Domain Controllers. The firewall is configured to communicate with the Agent. Some customers choose to install multiple Agents directly on the Domain controllers and the firewall is configured to communicate with all of them. Both approaches or a combination will work - it just comes down to what is best for your environment. The Agent does need to run continuously for best results.
Cheers,
Kelly
06-18-2010 01:30 PM
Thank you for the advice, Kelly. I'm actually surprised that the firewall device does not communicate directly with AD. Doesn't this design just introduce a point of failure? If my policies are based around usernames, but the agent stops responding (service down, server is shut down, etc.) will my policies fail open or closed? I guess I will probably deploy multiple agents to minimize this possibility.
Thank you again!
06-18-2010 04:42 PM
Using multiple Agents is best practice for high availability for UserID.
The use of agents helps to offload the userid to IP mapping from the control plane of the firewall. In this way the agent processes the mapping information into a table which is sent to the firewall. This both minimizes the work the firewall needs to do and also can reduce the amount of traffic the firewall is sending and receiving. Another issue, especially for AD integration, is that an Agent running on a Windows member server allows the use of native Windows API's to access the user to IP mapping information. This makes integration much more seamless since the authentication needed to query this data is provided by the service account configured on the Domain, which is a naive Windows function.
Cheers,
Kelly
06-20-2011 11:26 AM
How does one install multiple agents on the SAME controller?
06-20-2011 11:58 AM
With "multiple agents" it was meant that they are installed on different boxes. 
So that when one box dies the other can take over...
Mike
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
