Install the User-ID Agent

The following procedure shows how to install the User-ID agent on a member server in the domain and set up the service account with the required permissions. If you are upgrading, the installer will automatically remove the older version, however, it is a good idea to back up the config.xml file before running the installer.
For information about the system requirements for installing the Windows-based User-ID agent and for information on supported server OS versions, refer to “Operating System (OS) Compatibility User-ID Agent” in the User-ID Agent Release Notes.
  1. Create a dedicated Active Directory service account for the User-ID agent to access the services and hosts it will monitor to collect user mappings.
    1. Add the service account to the Event Log Reader builtin group to enable privileges to read the security log events.
      1. Run the MMC and launch the Active Directory Users and Computers snap-in.
      2. Navigate to the Builtin folder for the domain, right-click the
        Event Log Reader
        group and select
        Add to Group
        to open the properties dialog.
      3. Click
        Add
        and enter the name of the service account that you configured the User-ID service to use, then click
        Check Names
        to validate that you have the proper object name.
      4. Click OK twice to save the settings.
    2. Enable the service account to log on as a service.
      1. Select
        Group Policy Management
        Default Domain Controller Policy
        Computer Configuration
        Policies
        Windows Settings
        Security Settings
        Local Policies
        User Rights Assignment
        .
      2. Right-click
        Log on as a service
        , then select
        Properties
        .
      3. Add the service account username or builtin group (Administrators have this privilege by default.).
  2. Decide where to install the User-ID agent.
    The User-ID agent queries the Domain Controller and Exchange server logs using Microsoft Remote Procedure Calls (MSRPCs), which require a complete transfer of the entire log at each query. Therefore, always install one or more User-ID agents at each site that has servers to be monitored.
    For more detailed information on where to install User-ID agents, refer to Architecting User Identification (User-ID) Deployments.
    • You must install the User-ID agent on a system running one of the supported OS versions: see “Operating System (OS) Compatibility User-ID Agent” in the User-ID Agent Release Notes.
    • Make sure the system that will host the User-ID agent is a member of the same domain as the servers it will monitor.
    • As a best practice, install the User-ID agent close to the servers it will be monitoring (there is more traffic between the User-ID agent and the monitored servers than there is between the User-ID agent and the firewall, so locating the agent close to the monitored servers optimizes bandwidth usage).
    • To ensure the most comprehensive mapping of users, you must monitor all domain controllers that process authentication for users you want to map. You might need to install multiple User-ID agents to efficiently monitor all of your resources.
  3. Download the User-ID agent installer.
    Install the User-ID agent version that is the same as the PAN-OS version running on the firewalls. If there is not a User-ID agent version that matches the PAN-OS version, install the latest version that is closest to the PAN-OS version. For example, if you are running PAN-OS 7.1 on your firewalls, install User-ID agent version 7.0.
    1. Select
      Software Updates
      from the Manage Devices section.
    2. Scroll to the User Identification Agent section of the screen and
      Download
      the version of the User-ID agent you want to install.
    3. Save the
      UaInstall-x.x.x-xx.msi
      file on the system(s) where you plan to install the agent.
  4. Run the installer as an administrator.
    1. Open the Windows
      Start
      menu, right-click the
      Command Prompt
      program, and select
      Run as administrator
      .
    2. From the command line, run the .msi file you downloaded. For example, if you saved the .msi file to the Desktop you would enter the following:
      C:\Users\administrator.acme>
      cd Desktop
      C:\Users\administrator.acme\Desktop>
      UaInstall-6.0.0-1.msi
    3. Follow the setup prompts to install the agent using the default settings. By default, the agent gets installed to the
      C:\Program Files (x86)\Palo Alto Networks\User-ID Agent
      folder, but you can
      Browse
      to a different location.
    4. When the installation completes,
      Close
      the setup window.
  5. Launch the User-ID Agent application.
    Open the Windows
    Start
    menu and select
    User-ID Agent
    .
  6. (
    Optional
    ) Change the service account that the User-ID agent uses to log in.
    By default, the agent uses the administrator account used to install the .msi file. However, you may want to switch this to a restricted account as follows:
    1. Select
      User Identification
      Setup
      and click
      Edit
      .
    2. Select the
      Authentication
      tab and enter the service account name that you want the User-ID agent to use in the
      User name for Active Directory
      field.
    3. Enter the
      Password
      for the specified account.
    4. Commit
      the changes to the User-ID agent configuration to restart the service using the service account credentials.
  7. (
    Optional
    ) Assign account permissions to the installation folder.
    You only need to perform this step if the service account you configured for the User-ID agent is not either a domain administrator or a local administrator on the User-ID agent server host.
    1. Give the service account permissions to the installation folder:
      1. From the Windows Explorer, navigate to
        C:\Program Files\Palo Alto Networks
        and right-click the folder and select
        Properties
        .
      2. On the
        Security
        tab, click
        Edit
        , then
        Add
        the User-ID agent service account and assign it permissions to
        Modify
        ,
        Read & execute
        ,
        List folder contents
        ,
        Read,
        and
        Write
        and then click
        OK
        to save the account settings.
    2. Give the service account permissions to the User-ID Agent registry sub-tree:
      1. Run
        regedit32
        and navigate to the Palo Alto Networks sub-tree in one of the following locations:
        • 32-bit systems
          HKEY_LOCAL_MACHINE\Software\ Palo Alto Networks
        • 64-bit systems
          HKEY_LOCAL_MACHINE\Software\ WOW6432Node\Palo Alto Networks
      2. Right-click the Palo Alto Networks node and select
        Permissions
        .
      3. Assign the User-ID service account
        Full Control
        and then click
        OK
        to save the setting.
    3. On the domain controller, add the service account to the builtin groups to enable privileges to read the security log events (Event Log Reader group) and open sessions (Server Operator group):
      1. Run the MMC and Launch the Active Directory Users and Computers snap-in.
      2. Navigate to the Builtin folder for the domain and then right-click each group you need to edit (Event Log Reader and Server Operator) and select
        Add to Group
        to open the properties dialog.
      3. Click
        Add
        and enter the name of the service account that you configured the User-ID service to use and then click
        Check Names
        to validate that you have the proper object name.
      4. Click
        OK
        twice to save the settings.

Recommended For You