This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About jezkerwin
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About jezkerwin
04-17-2023
15Posts
0Likes
0Solutions
Apr 17, 2023Last Visited
User
Activity
User
Profile
Latest posts by jezkerwin
| Subject | Views | Posted |
|---|---|---|
| 4418 | 04-16-2018 06:14 PM | |
| 4674 | 04-12-2018 12:17 AM | |
| 4762 | 04-09-2018 05:34 PM | |
| 1241 | 08-10-2016 03:22 PM | |
| 2401 | 07-21-2016 05:22 PM | |
| 2414 | 07-21-2016 05:45 AM | |
| 2447 | 07-20-2016 06:48 PM | |
| 2434 | 05-11-2016 11:30 PM | |
| 2466 | 05-10-2016 09:59 PM | |
| 1697 | 03-22-2016 03:45 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 03-21-2016 04:45 PM |
| Date Last Visited | 04-17-2023 12:53 AM |
| Posts | 15 |
04-16-2018
06:14 PM
Thanks for your reply @Remo, Aren't there some features that Agentless UserID doesn't haved compared to the Agent? The problem I had when the remote firewalls were talking to the Core UserID agent was the time it took for the database to update with the IP address, so some users were waiting a long time for the rules to reconigse they had logged onto the network. I suspect I have some configuration settings in terms of time to retrieve logs, etc, aren't configured correctly (I've just used the defaults of the agent install). While our network links don't go offline that often, I wouldn't describe them as reliable which is why I went down the path of local UserID agents at the main datacentre sites other than HQ. Perhaps I could look at the panorama to distribute the database. The other option I was thinking is this. We have 2 sites that are the biggest. each site has 2 x userID agents installed and configured. The F/Ws at those sites are configured for the local UserID agents. then those local F/Ws are configured to distribute their databases to all the other F/Ws in the environment.
... View more
04-12-2018
12:17 AM
Thanks for your reply. At the moment, we don't have a need to use UserID across firewalls and VSYS, however I do see a need in the future so I would the answer to that question is yes. We use Panorama and all the firewalls are configured to talk to it. we use it for firmware updates but due to the nature of our enviornment, we're not using it for rule managmenet. The domains do exist within the same environment so there is a trust between them. I didn't know we could use Exchange. In some cases a user would be using a workstation that doesn' have Outlook. The exchange environment sits in a resource type forest, there is a forest trust between those domains. We use OCS that for most people starts automatically. I think the questions are still open for me are, do I continue to use direct polling to the domain controllers or implement something with event forwarding, the location of the userID agent on the network for best performance and the firewall configuration to query them and how to implement redundancy incase one of the userID agents fails. Thanks again for your help.
... View more
04-09-2018
05:34 PM
Hi everyone. We currently have a small rollout of UserID across 2 of our firewalls across 2 sites. I think there are some gaps in performance and redundancy and I'd like people's opinions about the best way to deploy UserID. Bit of background about our environment. We have approx 40 domain controllers spread across 2 domains over 10-15 sites User accounts exist in both domain domains Computer accounts exist in 1 domain. Each site has a PA Firewall with multiple vsys, zones, vlans etc. Right now we have 1 UserID agent installed on a server that queries all the domain controllers of the computer account domain in the HQ site, the FW at that site queries that user-id agent. At the next biggest site, the userid agent is only query the DCs for that site and the FW at that site queries the local userID agent with a backup at the HQ site. I'm sure this isn't the best way to do it, so I welcome any suggestions on how to improve. Thanks.
... View more
08-10-2016
03:22 PM
Hello, We are starting to deploy UserID based policies across our enterprise. I'd like to know what is the best practice when dealing with rule policies that cross multiple zones/firewalls that are in different locations? Does the user portion of the rule only need to be as close to the client then go to network rules in between the firewalls and resource or can userID go through the entire network path from client/user to resource? Thanks,
... View more
07-21-2016
05:22 PM
Yeah, I'm talking about the nomenclature of the AD security groups themselves. I guess I'm in a different position where I have the input in naming both.
... View more
07-21-2016
05:45 AM
I'm interested to learn how people name their groups within Active Directory that are used within the Palo Alto Firewall Policies. Are they named randomly or does the name of the group identify what the policy does within the firewall. I'm looking to come up with a naming scheme for myself that makes sense, is easy to manage and has relevance when identifying the policy within the firewall so I'd like to learn if others have come up with a scheme or system that they use that I could draw inspiration on for my requirements. For example, if a policy is giving RDP access to a bunch of servers on floor 3 of office 1 is the rule named 'Off_1_Flr_3_RDP_allow' or is it called 'access to rdp for developers'.
... View more
07-20-2016
06:48 PM
Hi all, I'd be interested to here is anyone has come up with interesting naming schemes for AD groups used within Palo Alto firewall policies. I'm looking for inspiration as I'm looking to come up with a logical scheme on our end. Cheers.
... View more
05-11-2016
11:30 PM
Hey thanks for the reply, it certainly does help. I have a couple of follow up questions if you dont mind, just to help me get it clear in my head.
1) Do you have cross domain group memberships for users being resolved correctly (ie. you set a group in a policy from domain1 and that group has a member from domain2 in it)
2) For each of the LDAP profiles you use for the each of the domain are you using one Bind user per domain or a single Bind user for all domains? Are you connecting to LDAP port (389) or the Global Catalog (3268)
3) Do you have the same number of Group Mapping profiles for each of the domains? Are you setting the User Domain variable and just keeping the rest of the variables standard.
4) If I understand your explanation, you have 4 servers running the UserID Agent for load sharing and they are all member servers in a single domain using the one service account and they can match IP address to Username across all domains due to the trust?
Thanks for you help, I really appreciate it, this'll get me out of jam if I get it going.
Cheers.
... View more
05-10-2016
09:59 PM
Hi I'm attempting to implement userID on PAN-OS 7.0.6 within a multi-domain forest.
All of our workstations exist on one domain and users logging into those workstations exist on another domain within the same forest. I have the UserID agent setup on a member server on the workstation domain and it can correctly map the IP address to usernames on the user domain.
The issue I'm having is that within the policy if I set a group name in the workstation domain, it cannot match to the username which is being correctly identified within the monitor tab
I've seen articles dealing with multiple domains in a single forest but they tend to assume that the domains all have a contiguous DNS name space. Our environment doesn't have that, the user domain and workstation domain names are completley different (legacy reasons, I dont like it 🙂
Has anyone dealt with this before in the past?
... View more
03-22-2016
03:45 AM
correct, in the monitor tab I can correctly see domainB\user being resolved.
in the policy though, if I configure domainA\group as the user and domainB\user is a member of that group, it wasn't resolving the lookup to the group and the policy would fail.
I'm not sure which group type to user Global, Domain Local, Universal. I have the LDAP server profile talking to the Global Catalog.
I'll try with the second LDAP profile talking to domainB and see if that works.
... View more
03-21-2016
10:27 PM
Hi everyone.
I'm trying to setup a User-ID installation for our multi-domain Active Directory environment.
Here is a rundown on what we have
DomainA = Workstations, groups, users, servers, etc. The main domain where everything is conducted
DomainB = legacy domain where some user accounts are located.
I've installed the User-ID agent on a Windows VM running in DomainA and have configured the PA F/W to talk to DomainA for LDAP and User-ID.
The Groups that I want to use as part of the Policy are located in DomainA. Those groups have members from DomainB.
In the monitor tab I can see users from DomainB being matched correctly and if I set the policy to a user directly it will match. However where I'm having issues is that if I specifiy a group in DomainA as part of the policy, it's not matching for the user in DomainB.
So my question is (after that long winded explanation), can my wanted setup work or do I have to do thing differently?
Thanks.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-17-2023
12:53 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks