PaloAlto Networks User-ID ADDS integration

  • 53 Views
  • Last Post 3 weeks ago
rwf4 posted this 3 weeks ago

Does anyone have any experiences with this integration that they could share?

  Granting DCOM and WMI access to a Service Account for the PAN firewalls consume security logs in real-time for user to IP mapping is not very attractive to this AD admin.   I don’t think I’m getting a comprehensive view of options from my network guys given some cursory reading. Hoping someone has been down this path.   TIA   --bob

Order By: Standard | Newest | Votes
kurtbuff posted this 3 weeks ago

We're a small environment (one office of about 200, one office of
about 40 and another of about 15, the last of which is mostly road
warriors - in three different countries, each with its own PaloAlto).

I we use User-ID, and it isn't a big deal, but I'll bet that in a
larger environment it might not scale all that well.

Kurt

show

bobfree posted this 3 weeks ago

Thanks Brian. What size is this environment? Do you have round volume numbers?
We already forward everything to Qradar I wish they could simply consume them. 
Appreciate the response. 


show

bobfree posted this 3 weeks ago

That's my concern. It didn't behave well in our lab with a really low volume compared to what we have in prod. 
Thanks


show

BrianB posted this 3 weeks ago

We have 16 Domain Controllers. 60K+ Users.



 

We are using 2 event collectors with the User-ID installed on each. PAN worked with me to get the proper REGEX filters in place on the agent. I am told that the

PAN have the ability to consume from both collectors and perform its own DEDUP. I don’t run the PAN so I have to take their word for it.

 

Brian

 

show

BrianB posted this 3 weeks ago

FWIW, I also strenuously objected to YAA (Yet another Agent) on my DC’s and came up with the proposal to use Event Forwarding. There was a little objection at

first but we worked through it and PAN supports it.

 

Brian  

 

show

Rytis posted this 3 weeks ago

Brian,

Could you please share more details on your solution? Off-list, if necessary.

Thanks!

 

Close