PaloAlto Networks User-ID ADDS integration

  • 65 Views
  • Last Post 08 March 2017
rwf4 posted this 08 March 2017

Does anyone have any experiences with this integration that they could share?

  Granting DCOM and WMI access to a Service Account for the PAN firewalls consume security logs in real-time for user to IP mapping is not very attractive to this AD admin.   I don’t think I’m getting a comprehensive view of options from my network guys given some cursory reading. Hoping someone has been down this path.   TIA   --bob

Order By: Standard | Newest | Votes
Rytis posted this 08 March 2017

Brian,

Could you please share more details on your solution? Off-list, if necessary.

Thanks!

 

BrianB posted this 08 March 2017

FWIW, I also strenuously objected to YAA (Yet another Agent) on my DC’s and came up with the proposal to use Event Forwarding. There was a little objection at

first but we worked through it and PAN supports it.

 

Brian  

 

show

BrianB posted this 08 March 2017

We have 16 Domain Controllers. 60K+ Users.



 

We are using 2 event collectors with the User-ID installed on each. PAN worked with me to get the proper REGEX filters in place on the agent. I am told that the

PAN have the ability to consume from both collectors and perform its own DEDUP. I don’t run the PAN so I have to take their word for it.

 

Brian

 

show

bobfree posted this 08 March 2017

That's my concern. It didn't behave well in our lab with a really low volume compared to what we have in prod. 
Thanks


show

bobfree posted this 08 March 2017

Thanks Brian. What size is this environment? Do you have round volume numbers?
We already forward everything to Qradar I wish they could simply consume them. 
Appreciate the response. 


show

kurtbuff posted this 08 March 2017

We're a small environment (one office of about 200, one office of
about 40 and another of about 15, the last of which is mostly road
warriors - in three different countries, each with its own PaloAlto).

I we use User-ID, and it isn't a big deal, but I'll bet that in a
larger environment it might not scale all that well.

Kurt

show

Close