User-ID Agent or Agentless User-ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID Agent or Agentless User-ID

L0 Member


What is the difference between User-ID Agent and Agentless User-ID?  Why would I use one over the other?

4 REPLIES 4

L5 Sessionator

L7 Applicator

L4 Transporter

One would user UserID agent - if you have a distributed DC set up - across multiple WAN locations. That way you can run the UseriD Agent on each DC at the remote location and keep their chatter local.

Then only send the filtered (specific IP to user mappings) across the WAN to a head end firewall.

If however, you'd like to keep everything under one administrator groups's control (sometimes server folks and network folks have trouble sharing info.), then it may be easier to simply run the UserID agentless on the firewall. That way, only the access to AD via the LDAP admin account will be needed to have the firewall talk to the DCs. This would be preferred in cases where the DCs and firewall are all local and there is no WAN link to cross.

L7 Applicator

The basic difference between agent and agentless is as follows:

  • User-id agent installs on a windows computer and collects the user to ip mappings for forwarding to the firewall
  • Agentless user-id runs on the firewall and queries the windows servers to retrieve the user to ip mapping information

User-id agent can install multiple ways

  • Install directly on the domain controller for each one and collect local data
  • Install on one computer and query data from multiple domain controllers from this location

General considerations:

  • each domain controller in your AD domain has local only copies of the login mappings you need so all must participate in user-id in some way
  • If you have a lot of processing on the firewall and a lot of domain controllers then agentless user-id may not be practical
  • If your AD computers are spread around multiple WAN links the traffic generated by agentless user-id may be problematic

the best source for the gory details is the User-id Best practices documentation.

User-ID Best Practices - PAN-OS 5.0, 6.0

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 10149 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!