topic Re: PAN AGENT CAPACITY BY VSYS in General Topics

PAN AGENT CAPACITY BY VSYS

alle — Mon, 26 Mar 2012 16:04:26 GMT

hello,

I have seen the following information for pan agent capacity

Capacity

User Identification capacity limits:

• The PA-4000 series can support up to 64,000 concurrent users; the PA-2000 series can

support up to 47,000 concurrent users.

• Up to 640 groups can be used in policies for each virtual system (vsys)

• Each UIA can connect to up to 10 Domain Controllers

• Each firewall can support up to 100 UIA’s

• Limit of 100 entries each in the Allow and Ignore list on the UIA

• Only 1 NTLM handshake can be in process between a UIA and AD server at a time

And I have the following question : the support of 100 user id agent is for each VSYS or Globally?? because in 4.0 you can not shared pan-agent configuration. And if you have 10 VSYS with 12 PAN AGENT we must configure 120 PAN AGENT on your PA.

thanks for your answer,

Alex

Re: PAN AGENT CAPACITY BY VSYS

mikand — Mon, 26 Mar 2012 19:07:24 GMT

I think this is in total.

VSYS in PAN (and most other devices for that matter) is just to segment the dataplane. You still have a single mgmtplane and its the mgmtplane who does the User-ID Agent identification and stuff.

Re: PAN AGENT CAPACITY BY VSYS

alle — Wed, 28 Mar 2012 12:26:24 GMT

mikand I confirm, this is in total! when I create more than 100 pan agent I see the following message:

Server error : constraints failed : No. of agents configured exceeds maximum allowed(100)
[edit]

Re: PAN AGENT CAPACITY BY VSYS

ucteam — Wed, 25 Apr 2012 09:44:43 GMT

Another point .. this information is perhaps out of date "Each UIA can connect to up to 10 Domain Controllers"

The older 3.x UIA Agents by "default" would monitor only 10 domain controllers, but if you manually edited the XML config file you could get them to monitor 100 e.g <max-dc>100</max-dc>

I believe the new 4.x UIA have this setting by default now.