Sie sind auf Seite 1von 11

User-ID Agent Initial Installation and Setup

Tech Note
PAN-OS 4.1

Revision A

2011, Palo Alto Networks, Inc. www.paloaltonetworks.com

Contents
Overview ......................................................................................................................... 3
Installation ...................................................................................................................... 3
Provisioning the Agent Account ...................................................................................... 5
Revision History ............................................................................................................ 11

2011 Palo Alto Networks

Page 2

Overview
This document will outline the steps to install the 4.1.x version of the Palo Alto Networks User
Identification (User-ID) Agent on a member server in a domain. It assumes that no prior version of the User
Identification agent has been installed.

Installation
This example will describe the steps needed to install the User-ID Agent on a Windows 2008 member server
that is part of the domain corp.local. The agent will be configured to use the service account
agent_user, which is not an administrative account on the member server or in the domain.
1.

Download the installation .msi file from support.paloaltonetworks.com.

2. On the member server, launch a command prompt as an administrator. This is done by right
clicking on the command prompt icon on the Start menu and choosing the Run as administrator
option.

2011 Palo Alto Networks

Page 3

3. In the command prompt, navigate to the installation .msi file and run it.

4. Install the agent with the default settings. When the installation has finished, run the Agent GUI by
selecting it from the Windows Programs menu.

5. By default, the agent will be configured to log in as the user who installed the .msi file. In the screen
shot that follows, you will see that the administrator account that installed the agent is now the
agent service account. Use the Edit button on the configuration window to change the service
account to a restricted user account if desired.
Before

2011 Palo Alto Networks

Page 4

After

Provisioning the Agent Account


Once the agent service is installed, the account to be used must be provisioned. These steps include adding
the agent to Active Directory Groups, setting file permissions, setting local security policy on the agent
server and setting registry permissions. If the agent account is a member of the administrators group in the
domain, then all of these steps except the first step are no longer required.
1.

Allow the Agent account to log on the member server as a service. On the member server open the
Local Security Policy mmc.

Under the Local Policies > User Rights Assignments add the service account to the Log in as a

2011 Palo Alto Networks

Page 5

Service option.

2. Refresh Group Policy on the server. In a command prompt, run the gpupdate command. If this
step is skipped then it may take up to 30 minutes for the change made in step 1 to take effect.

3. Assign the account permissions to the installation directory on the server. By default, the account
used to install the service has full access to the installation path. Using Windows Explorer, select the
Palo Alto Networks folder in Program Files and open its properties. On the security tab, edit
the existing rights assignments and add the service account with Modify privileges.

2011 Palo Alto Networks

Page 6

Before

After

2011 Palo Alto Networks

Page 7

4. Assign the service account rights to the User-ID Agent registry sub-tree. In the Run box type
regedt32 to launch the registry editing tool. Navigate to the
Computer\HKEY_LOCAL_MACHINE\Software\Palo Alto Networks sub-tree. On 64 bit
systems the key is located at
Computer\HKEY_LOCAL_MACHINE\Software\WOW6432Node\Palo Alto Networks

2011 Palo Alto Networks

Page 8

Right click on the Palo Alto Networks node and choose the permissions option. Assign the service
account the Full Control permission for this sub tree.

2011 Palo Alto Networks

Page 9

5. Add the service account user to the Event Log Reader and Server Operator built in local
security groups in the domain.

That concludes the steps needed to install, enable, and grant the necessary permissions for the User-ID
Agent.

2011 Palo Alto Networks

Page 10

Revision History
Date
October 8, 2012

2011 Palo Alto Networks

Revision
A

Comment
Fixed a page break issue at page 7 that was causing
readers to miss the registry path in step 4. Not changing
the rev number since this was just a cosmetic change.

Page 11