User-ID

jdprovine · ‎11-29-2017

When enabling user-id where does it check against to get the information to identify the users? I have it turned on for serveral zones and it only seems to work on the VPN user-id's.

jdprovine · ‎12-21-2017

@BPry

It seems like in any of these scenarios there could be the potential for increased load somewhere and increased logging. I currently have two DC's and two PA firewalls, one in passive mode. I have no panorama server though I do have some syslog server that i am sending some not all the PA log information.

I am going to start planning for my upgrade to 8 to occur during summer break, hopefully so I can take advantage of the additional features.

Concerning my SE, they keep changing. I have been asking about some of the options but so far we haven't really discussed what would work best in my environment, the issue came up as a recommendation via a quarterly healthcheck.

My real desire was to have a method that is as simple as possible and give me only the userid information that would give me the best security tracking capability

MickBall · ‎12-21-2017

I started off using the one within the firewall but as @BPry Stated it depends on sizing.

as our firewalls grew well into double figures along with almost as many DCs it was an obvious move and helped to streamline the process of additional firewalls.

the traffic generated between agent and DC is a constant hum but only updates and address changes are forwarded to firewall

i do like the autodiscover on the agent, works well as long as your DNS is up to scratch.

i also like the gui, you can see the log generation in real time and can search for users to check ip status.

this of course is available via PA cli but for someone like myself that can only remember such commands as .......

format c: /y............ its a no brainer.

however... we had no issues with th local agent when used.

BPry · ‎12-21-2017

@jdprovine,

Essentially your passing the load onto something regardless of which method you are using. Do you want the load to be on the firewall or the agent; most people would go with agent simply because it's cheaper to add resources than generating a heavy load on your Management Plane.

As @MickBall pointed out the Agent scales very nicely, the agentless method doesn't really scale all that well if you were to experiance growth within your enviroment. The GUI of the agent is also nicer if you don't like working out of the CLI, since the CLI is where I spend the majority of my time I don't really see that as a big advantage.

If you are just implementing user-id now I would generally lean towards the agent. That being said, your on the range where if you don't see yourself growing in size anytime soon the agentless method should work perfectly fine for you.

User-ID

User-ID

Show your appreciation!