06-16-2025 07:49 PM
Does anyone have a step by step guide of setting up a User Id agent on a DC, mapping Ip to users and redistributing this data in Strata Cloud Manager. Currently, the User ID agent is pulling data from the servers and has IP-User entries. However, only mobile users are being mapped in the Firewall logs in Strata.
Also, the user Id agent does not show that it is connected to any devices i.e Prisma/Firewall.
08-14-2025 06:59 AM
I think this is what you are looking for Manage: Identity Redistribution
08-14-2025 05:24 PM
Thank you for the link. Yes, that document indeed helped. I will add the full workflow in this thread for anyone who may also need it.
08-14-2025 05:46 PM
The workflow in my SD WAN environment for anyone who may need.
1. Install Windows User-ID agent on server to collect auth logs from DCs/IDPs. See Step-by-Step Palo Alto Windows User-ID Agent Setup Guide [2024] by NetSums on YT Step-by-Step Palo Alto Windows User-ID Agent Setup Guide [2024]
2. Virtual FW required per Palo documentation. Deploy VM VM-Series Deployment Guide. and configure the Windows User-ID agent as a Data Redistribution agent in the PA-VM
3. Ensure Security policies exist on PA VM to allow communication between PA-VM and Windows User-Id agent. (Server end also needed a firewall rule in my case to allow connections on Port 5007). Monitor>>User-ID on PA VM should be populated afterwards.
4. Use existing or create a new SC per Manage Identity. Depending on your end goal, add the PA-VM as a redistribution agent sending to RN or SC nodes.
5. If configured correctly, Device>Data redistribution>>Clients on PA-VM will be populated with the EBGP router address of the SC. Firewall/User-id logs in Strata will also reflect the PA-VM as the Mapping Data Source.
🙂
08-26-2025 04:48 AM
HI T.
In all honesty start as soon as possible to use Cloud identity Engine as a replacement, it is so much easier to deploy (free) and manage, and it also uses much fewer firewall and network resources, this can slowly be integrated into your existing environment without causing any disruption as can be run during migration in parallel with legacy User_ID, its really a no brainer and i no longer even consider using User-ID
08-28-2025 05:07 PM
Thanks for the recommendation, Gabriel. I will look into the CIE and see how we go with that. If you do have any useful links/docos please feel free to share them. Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
