I've installed the Palo User-ID agent on a single domain controller (8.0.906) using the Palo Networks guide below:
Our environment already has User-ID running and is working, but due to some server retirement we have had to change the placement of this application.
So I installed the application, gave the dedicated domain service account full control over the Palo User-ID application folder, full control over the registry keys in Wow6432Node (ensured child object permissions for both were replaced) and the service account is already a member of the required AD builtin groups.
I've then added the new server to firewall and confirmed it is connected (change commited).
However the logs under Monitoring does not show any activity for user ID collections, the old (existing) server is still pulling them out OK. The only entries I am seeing are:
need to alloc xxxx bytes for big body
I understand this one is normal and can be ignored (https://live.paloaltonetworks.com/t5/Management-Articles/quot-Warn-839-quot-message-seen-in-User-ID-...)
New connection 127.0.0.1 : 61332 Device thread 0 with 127.0.0.1 : 61332 is started. Device thread 0 accept finish.
Which I assume is it connecting to itself (domain controller) OK.
can't get prefix from address()
I then see this event a lot, I've modified the include/exclude address ranges (192.168.0.0/16) on the Discovery option but I can't get this to work.
Solved! Go to Solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!