https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26813#M19562 <HTML><HEAD></HEAD><BODY><P>I got the impression that the built in PAN-agent (which lives in the mgmtplane of PANOS 5.0 and upwards) is mainly for small deployments.</P><P></P><P>Like max 100 users/clients or so...</P><P></P><P>But I could be wrong... it would however be really nice if the built in PAN-agent is all you need when running PANOS 5.0 even for larger deployments (thousands or ten of thousands of clients).</P><P></P><P>The problem is that the security log can be somewhat large when it comes to bandwidth. And in a large deployment there can be up to 100 DC-servers which, if you are unlucky, would mean up to 500Mbit/s just in security log being sent to the PA-device. The bandwidth between PAN-agent and each PA-device is much lower than the bandwidth between each PAN-agent and DC-servers.</P></BODY></HTML> Mon, 28 Jan 2013 18:49:00 GMT mikand 2013-01-28T18:49:00Z https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26812#M19561 <HTML><HEAD></HEAD><BODY><P>We have a pair of 5020s and about 4000 users on 4 AD controllers. Throughout the 4.0 and 4.1 series, we have seen the Windows-based UserID Agent drop groups and users, and are interested in seeing if native event log polling from 5.0 might help. Target date is mid-March, by which point we hope 5.0 to be somewhat stable.</P><P></P><P>The documentation says that the UserID Agent is still supported and recommended for "large" deployments. Can anyone quantify that? I consider us "small," but to the extent that PAN firewalls have displaced UTM and web filters, maybe we're "medium."</P></BODY></HTML> Mon, 28 Jan 2013 16:11:06 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26812#M19561 rgraves 2013-01-28T16:11:06Z https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26813#M19562 <HTML><HEAD></HEAD><BODY><P>I got the impression that the built in PAN-agent (which lives in the mgmtplane of PANOS 5.0 and upwards) is mainly for small deployments.</P><P></P><P>Like max 100 users/clients or so...</P><P></P><P>But I could be wrong... it would however be really nice if the built in PAN-agent is all you need when running PANOS 5.0 even for larger deployments (thousands or ten of thousands of clients).</P><P></P><P>The problem is that the security log can be somewhat large when it comes to bandwidth. And in a large deployment there can be up to 100 DC-servers which, if you are unlucky, would mean up to 500Mbit/s just in security log being sent to the PA-device. The bandwidth between PAN-agent and each PA-device is much lower than the bandwidth between each PAN-agent and DC-servers.</P></BODY></HTML> Mon, 28 Jan 2013 18:49:00 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26813#M19562 mikand 2013-01-28T18:49:00Z https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26814#M19563 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have previously asked support about this since we have considered using agentless user-id in a large deployment. Here are the numbers that I got:</P><P></P><P><SPAN style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 11px; background-color: #ecf3ea;">It depends on a few things. It depends on the number of DCs that are involved and the type of device the customer is using. </SPAN></P><P><SPAN style="background-color: #ecf3ea; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 11px; line-height: 1.5em;">If its a 500 series you should be fine monitoring up to 10 servers. Same is true for a 200 series. The 2000 series has only little memory in the management plane, which is why I would possibly only monitor 2-5 servers. <BR />Other devices like the new 3000 series or the 5000 series have more memory in the management plane. Meaning monitoring up to 50 servers should work fine."</SPAN></P><P></P><P>So the limitation is not the number of users but number of DCs that is monitored.</P><P>As for your installation you should be fine with using agentless installation, but remember if you got "slow" links between the PA and the DC's you should consider installing the user-id agent.</P><P></P><P>Jo Christian</P></BODY></HTML> Tue, 29 Jan 2013 08:07:47 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26814#M19563 jochristian 2013-01-29T08:07:47Z https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26815#M19564 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>The limitation does lie in the amount of servers monitored and these are limited by the platform and the resources available to the mgmt plane as JoChristian mentions above. </P><P>The maximum amount of users is identical across all platforms which is currently 64k on the DP users and 640 groups, so a pair of 5020's with 4 AD's and 4k users should not be a problem at all</P><P></P><P>regards</P><P>Tom</P></BODY></HTML> Tue, 29 Jan 2013 14:08:13 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26815#M19564 reaper 2013-01-29T14:08:13Z https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26816#M19565 <HTML><HEAD></HEAD><BODY><P><STRONG>We have case number 00110330 open right now, describing symptoms that mirror this same issue.</STRONG> On our PA5020s we only have 835 out of 2,000 users sync'ing.</P></BODY></HTML> Tue, 29 Jan 2013 14:46:52 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26816#M19565 ericgearhart 2013-01-29T14:46:52Z https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26817#M19566 <HTML><HEAD></HEAD><BODY><P>So even with 32.000 users and lets say 50 DC servers it should not be any problem of using the internal PAN-agent if you run 3000-series and upwards?</P><P></P><P>Any drawbacks by using this internal PAN-agent other than the bandwidth needed between the PA device and all DC's ?</P><P></P><P>Will for example commit times run away as with 2000-series?</P></BODY></HTML> Tue, 29 Jan 2013 16:48:37 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26817#M19566 mikand 2013-01-29T16:48:37Z https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26818#M19567 <HTML><HEAD></HEAD><BODY><P>To be a little bit more specific concerning the 640 groups "a firewall can hold": --&gt; This is only the <STRONG>number of groups that can be used in the policies of the firewall</STRONG> (source or destination user section), but the firewall can store more than 640 groups in its database, which of course is a MUST because many customers might have more than 640 groups in their ADs.</P><P></P><P>To see the actual number of different groups, you can use the following command on the CLI:</P><P><SPAN style="font-family: courier new,courier;">show user group list | match Total</SPAN></P><P>This shows the number of groups.</P></BODY></HTML> Tue, 13 Aug 2013 12:59:46 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-a-quot-large-quot-deployment-for-user-id-on-the-firewall/m-p/26818#M19567 Ludwig 2013-08-13T12:59:46Z