We are using windows based User-ID agent on Palo alto firewall for user-id mapping.
We have an existing setup with AD domain abc.com for which the User-ID mapping is implemented on PA Firewall and User ID agent is installed on the abc.com domain controller and it is working fine without any issues.
Now we are creating an completely new set of domain xyz.com with dedicated AD Server. We are able to implement group mapping for xyz.com domain on firewall.
Now we are planning to install User-ID agent on the xyz.com domain controller also and trying to configure Agent based User-ID mapping for the same.
I had came across some articles which explains User-ID mapping on Palo Alto firewall cannot be implemented for two completely different domains.
Thanks in advance!!
I have done this a few weeks ago. The firewall itself can connect directly ('integrated User ID') to AD servers but this can only be done for 1 domain and maybe that is what you read in articles. The second domain must use User-ID Agent installed on a member server of that domain. There is no problem with the first domain also using User-ID Agent instead of the integrated method.
You need to have 2 LDAP profiles, and 2 Group Mapping profiles - 1 for each domain.
The User-ID Agent will send IP-to-User mapping for it's domain and if you type 'show user ip-user-mapping all' you should be able to see usernames from 2 domains, such as 'microsoft\username1' & 'contoso\username2'.
Hope this helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!