Can anyone clarify for me what the best practice recommendations are for the User-ID agent? Prior to V5 it was clear that they should ideally run on the domain controllers or servers close to them. However with the option of running on-box, is this now the preferred option, are there any limitations or side-effects of doing so?
I would not recommend to use the new agentless UID approach yet,
- AD User Accounts with Umlaut characters cannot be excluded (Support case is already open)
- It seems networks cannot be excluded from user ip mapping neither -- > https://live.paloaltonetworks.com/thread/6903
I had some strange behaviour with the agentless setup but which I could not reproduce in the lab.
I would recommend to stick with the UID Agent for now. Just my two cents.
The reason the recommendation was to run the UserID agent on a domain contoller was that the communication between the domain controller and the UserID agent is very chatty. That's why to keep that chattiness local the USERID Agent was expected to run on the domain controller itself.
If you now run the Agentless UserID on the firewall itself, you'd still see the chattiness between the PAN firewall and the domain contollers so that may be something to consider.
Just an update, Currently running 5.0.4 due to some other bugs that were in 5.0.1. It feels stable but I have only been running this version for about a week now and I am aware that there are a few bugs that may affect our deployment but its the best we can do while we wait for 5.0.5 to be released.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!