Palo Alto User-ID w/Windows Agent

Owned by Bob Kirk
Nov 14, 2024
1 min read

This will provide an overview of the components involved in the user-id (user to IP mapping) information present in the Palo Alto 5220 traffic monitor tabs.

For full reference please see Jira ticket 131187;


IT-131187 - Getting issue details... STATUS


In short, the Palo Alto (PA) User-ID (uid) agent resides on system DHCP01. A service account in Active Directory (AD) named "paloagent01" is configured to have the appropriate permissions and group/service memberships to access and read the security logs on all four Domain Controllers (DC's). This agent runs as this service account, and then provides the filtered information to the 'Data Redistribution" function of the PA device for use in various Monitor displays, correlating some IP addresses as source and user logged in on that device. I say some since many networks at LC such as wireless SSIDs "lambtonwireless" and "Residence" do not require login authentication to AD and so do not have relevant information to extract from DC system logs.

Of note with respect to the installation process, a DWORD registry entry must be made and local security policy for credentialed and kerberos logins much be made on each DC for this to work. The former allows the system to permit the service account to access the security log and the latter to actually log success and failure login attempts (in spite of the default Domain Controller Group Policy already configured to allow).

Palo Alto Case ID 03271271 contains interaction with Palo Alto technical support, in addition to what is included in the above linked Jira ticket.