https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14036#M10308 <HTML><HEAD></HEAD><BODY><P>Currently we have 20 User-ID agents connected to our PA-2050. In the last days we had severe problems with our Palo Alto. The CPU was on full load and we were not able to login on CLI or the webinterface. The only solution was to restart the firewall. A few weeks ago we had the same problems but not as many as these days.</P><P></P><P>I'm not sure but something tells me that the integration of the User-ID agents is the cause of our problems. Is this possible? </P><P><IMG alt="screen.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10131_screen.png" style="width: 620px; height: 287px;" /></P><P>The useridd process consumes a lot of memory. Is this normal?</P></BODY></HTML> Wed, 04 Dec 2013 07:11:06 GMT LCMember17002 2013-12-04T07:11:06Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14033#M10305 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>first I try to give you some information. Our headquarter is located in Germany. All of our subsidiaries are connected to Germany via relatively slow VPN lines. Overall we have round about 20 DCs in different countires. Until now we have only 3 Palo Alto firewalls (Germany, USA, Canada) but in the future we plan to buy more.</P><P></P><P>Our setup until last week was the following. We installed the software User-ID agent on the DC in Germany. We connected all DCs worldwide to this agent. Unfortunately the agent retrieves all logs and produces a lot of traffic over the VPN lines. So we decided to change our setup.</P><P></P><P>We are planning to install the User-ID agent on all DCs worldwide and connect the firewall in Germany with all agents. With this solution the traffic should drop significantely. Furthermore the firewall in USA and Canada will be connected with the particular DC in that country and in Germany.</P><P>Or is it better to connect these firewalls also with all agents?</P><P>Is it possible to distribute the mappings from the firewall in Germany to the other firewalls without the need of connecting agents to the firewalls in USA and Canada?</P><P></P><P>Another question is if all agents should observe all available networks or only the local subnets?</P><P></P><P>I hope you can help me!</P></BODY></HTML> Fri, 08 Nov 2013 10:12:40 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14033#M10305 LCMember17002 2013-11-08T10:12:40Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14034#M10306 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>"We are planning to install the User-ID agent on all DCs worldwide and connect the firewall in Germany with all agents. With this solution the traffic should drop significantely."</P><P>Yes this will be fine.Also in the agents you may change 1second predefined read logs to 2(or 3) seconds.</P><P>Redistribute users is only available for agentless user-id.</P><P>to observer all available networks will be fine.</P></BODY></HTML> Sun, 10 Nov 2013 19:02:01 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14034#M10306 Retired Member 2013-11-10T19:02:01Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14035#M10307 <HTML><HEAD></HEAD><BODY><P>Here are few good docs regarding the deployment of User id. </P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-3120">https://live.paloaltonetworks.com/docs/DOC-3120</A></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-5939">https://live.paloaltonetworks.com/docs/DOC-5939</A></P><P></P><P>Hope this helps.<BR />Thanks</P><P>Numan</P></BODY></HTML> Tue, 12 Nov 2013 00:37:55 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14035#M10307 mbutt 2013-11-12T00:37:55Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14036#M10308 <HTML><HEAD></HEAD><BODY><P>Currently we have 20 User-ID agents connected to our PA-2050. In the last days we had severe problems with our Palo Alto. The CPU was on full load and we were not able to login on CLI or the webinterface. The only solution was to restart the firewall. A few weeks ago we had the same problems but not as many as these days.</P><P></P><P>I'm not sure but something tells me that the integration of the User-ID agents is the cause of our problems. Is this possible? </P><P><IMG alt="screen.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10131_screen.png" style="width: 620px; height: 287px;" /></P><P>The useridd process consumes a lot of memory. Is this normal?</P></BODY></HTML> Wed, 04 Dec 2013 07:11:06 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14036#M10308 LCMember17002 2013-12-04T07:11:06Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14037#M10309 <HTML><HEAD></HEAD><BODY><P>What PANOS and User ID Agent version are you running?</P></BODY></HTML> Sat, 14 Dec 2013 16:41:09 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14037#M10309 JimS2 2013-12-14T16:41:09Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14038#M10310 <HTML><HEAD></HEAD><BODY><P>All the latest. PANOS 5.09 and User-ID Agent 5.0.6-6.</P></BODY></HTML> Sun, 22 Dec 2013 16:25:20 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14038#M10310 LCMember17002 2013-12-22T16:25:20Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14039#M10311 <HTML><HEAD></HEAD><BODY><P>The memory and cpu usage in the screen shot is not all that high.&nbsp; I would be more interested in the memory and cpu usage on the mgmtsrvr and devsrvr.</P><P>Run: show system resources follow</P><P>Use Shift + m</P></BODY></HTML> Sun, 22 Dec 2013 17:51:55 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14039#M10311 JimS2 2013-12-22T17:51:55Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14040#M10312 <HTML><HEAD></HEAD><BODY><P>How many User-ID Agents can usally be connected to a PA-2050 without problems?</P><P></P><P>Here another screenshot mit Shift + M.</P><P><IMG alt="Unbenannt.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10453_Unbenannt.png" style="width: 620px; height: 424px;" /></P></BODY></HTML> Mon, 23 Dec 2013 07:51:10 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14040#M10312 LCMember17002 2013-12-23T07:51:10Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14041#M10313 <HTML><HEAD></HEAD><BODY><P>Hello <SPAN class="j-post-author" style="font-size: 0.9em; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><STRONG style="font-style: inherit; font-family: inherit;"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="-1" data-externalid="" data-presence="null" data-userid="12205" data-username="admin%40peri" href="https://live.paloaltonetworks.com/people/admin@peri" style="padding: 0 3px 0 0; font-weight: inherit; font-style: inherit; font-size: 1.1em; font-family: inherit; color: #006595;">admin@peri</A></STRONG></SPAN></P><P></P><P>Per PanOS 4.1 and 5.0, 2050 supports 100 User ID agents.</P><P>Though it can support so many agents I would suggest the efficiency of the hardware with user id agents depends on the frequency of the data being retrieved from the agents to the firewall and how much data is being obtained. To some extent we can change the frequency values on the user id agents to retrieve user-ip mapping. </P><P></P><P>Hope this answers your question !</P></BODY></HTML> Mon, 23 Dec 2013 16:07:00 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14041#M10313 Phoenix 2013-12-23T16:07:00Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14042#M10314 <HTML><HEAD></HEAD><BODY><P>The mgmtsrvr server memory is border line but not extreme by any means.&nbsp; I would open a support case for the performance issue when it occurs again.&nbsp; This will need to be diagnosed live by a technician.</P></BODY></HTML> Mon, 23 Dec 2013 18:14:33 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14042#M10314 JimS2 2013-12-23T18:14:33Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14043#M10315 <HTML><HEAD></HEAD><BODY><P>Hello admin@peri,</P><P></P><P>Normally only local subnet.....</P><P></P><P>Because User based policies are normally configured inside to outside direction.</P><P></P><P>But if User based policy is configured for outside to inside network then its required to learn all the networks.</P><P></P><P>Let me know if that answers the question.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 26 Dec 2013 00:14:01 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-user-id-strategy/m-p/14043#M10315 hshah 2013-12-26T00:14:01Z