Implementing User Identification via AD

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Implementing User Identification via AD

Not applicable

Hi everybody,

I'm trying to implement user identification via active directory on PA-200. I've added the AD server under Device -> LDAP and added group mapping under Device -> User Identification.Now I guess I need to install user-ID agent on a local machine but I can't find a download link for this app.

Is it possible to implement user identification without this user-id agent?

Can anyone provide a simple guide for this whole process? I'm using few documents but wasn't able to find a single document that explains this procedure from start to end on a simple example.




Not applicable

Hi Damir

I'm not much help, as I'm trying to figure this out too.  But I did find the User ID Agent software here;

Palo Alto Networks</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /...

L5 Sessionator


You need  the agent to get ip to user mapping. You can download the agent from the support portal:

Palo Alto Networks</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /...

This document walks you through the installation procedure for the PANOS 4.1.



Don't forget to enable user identification on your trusted zone.  I missed that tick box, and spent over an hour trying to figure out why it wasn't working.

Thanks Shaun, I'll try it with this guide, it's actually what I was looking for...

OK, this was the first step, now I need to configure the User-ID Agent and PA Firewall.

I have configured an User-id agent under Device -> User Identification -> User-ID Agents but its Connected Status is Red. And yes, I have enabled user identification on the trusted zone.

Another interesting thing is that I can't see any logs on the User-ID Agent. I see all users that are active one the network under the Monitoring option but no logs.


It looks like I forgot to add the PA-200 to the list of allowed devices to access the User-ID agent. Now it works fine as far as I can see.



Message was edited by: Damir Porobic

THIS ^. I did not know that checkbox was there under the zone config. Would have been here all day...

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!