Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Tech Note
PAN-OS 4.1
Revision A
Contents
Overview ......................................................................................................................... 3
Installation ...................................................................................................................... 3
Provisioning the Agent Account ...................................................................................... 5
Revision History ............................................................................................................ 11
Page 2
Overview
This document will outline the steps to install the 4.1.x version of the Palo Alto Networks User
Identification (User-ID) Agent on a member server in a domain. It assumes that no prior version of the User
Identification agent has been installed.
Installation
This example will describe the steps needed to install the User-ID Agent on a Windows 2008 member server
that is part of the domain corp.local. The agent will be configured to use the service account
agent_user, which is not an administrative account on the member server or in the domain.
1.
2. On the member server, launch a command prompt as an administrator. This is done by right
clicking on the command prompt icon on the Start menu and choosing the Run as administrator
option.
Page 3
3. In the command prompt, navigate to the installation .msi file and run it.
4. Install the agent with the default settings. When the installation has finished, run the Agent GUI by
selecting it from the Windows Programs menu.
5. By default, the agent will be configured to log in as the user who installed the .msi file. In the screen
shot that follows, you will see that the administrator account that installed the agent is now the
agent service account. Use the Edit button on the configuration window to change the service
account to a restricted user account if desired.
Before
Page 4
After
Allow the Agent account to log on the member server as a service. On the member server open the
Local Security Policy mmc.
Under the Local Policies > User Rights Assignments add the service account to the Log in as a
Page 5
Service option.
2. Refresh Group Policy on the server. In a command prompt, run the gpupdate command. If this
step is skipped then it may take up to 30 minutes for the change made in step 1 to take effect.
3. Assign the account permissions to the installation directory on the server. By default, the account
used to install the service has full access to the installation path. Using Windows Explorer, select the
Palo Alto Networks folder in Program Files and open its properties. On the security tab, edit
the existing rights assignments and add the service account with Modify privileges.
Page 6
Before
After
Page 7
4. Assign the service account rights to the User-ID Agent registry sub-tree. In the Run box type
regedt32 to launch the registry editing tool. Navigate to the
Computer\HKEY_LOCAL_MACHINE\Software\Palo Alto Networks sub-tree. On 64 bit
systems the key is located at
Computer\HKEY_LOCAL_MACHINE\Software\WOW6432Node\Palo Alto Networks
Page 8
Right click on the Palo Alto Networks node and choose the permissions option. Assign the service
account the Full Control permission for this sub tree.
Page 9
5. Add the service account user to the Event Log Reader and Server Operator built in local
security groups in the domain.
That concludes the steps needed to install, enable, and grant the necessary permissions for the User-ID
Agent.
Page 10
Revision History
Date
October 8, 2012
Revision
A
Comment
Fixed a page break issue at page 7 that was causing
readers to miss the registry path in step 4. Not changing
the rev number since this was just a cosmetic change.
Page 11