The customer wants to know the query mechanism of agentless user-id. I can see the following description from the documentation.
With server monitoring a User-ID agent—either a Windows-based agent running on a domain server in your network, or the PAN-OS integrated User-ID agent running on the firewall—monitors the security event logs for specified Microsoft Exchange Servers, Domain Controllers, or Novell eDirectory servers for login events. For example, in an AD environment, you can configure the User-ID agent to monitor the security logs for Kerberos ticket grants or renewals, Exchange server access (if configured), and file and print service connections. For these events to be recorded in the security log, the AD domain must be configured to log successful account login events. In addition, because users can log in to any of the servers in the domain, you must set up server monitoring for all servers to capture all user login events.
However, the customer asked two questions. I did not find the answers. Can you help answer.
1) When querying, does PA first pull the security event log of AD to PA's local location and then check again.
2) If it is an action to pull AD logs to the local location, how much log volume does pa pull at a time (defined by the number of log entries or time period).
... View more