topic Re: No of User ID agents for HQ and sites in General Topics

No of User ID agents for HQ and sites

faizankhurshid — Fri, 16 Mar 2018 07:40:13 GMT

Hi All

My network topology is like I have HQ with PA-7050 firewall and 3 domain controllers in HQ. I have 22 branches with local domain controller in each branch and firewall is PA-3050.

Now I want to deploy user-ID agent, In my scenario what is the best way to deploy user-ID agents. I am thinking below:

- Deploy one user-ID agent (with backup) in each branch on member server and monitor the local domain controller (branch DC)

- Deploy one user-ID agent (with backup) in HQ on member server and monitor the HQ domain controllers.

- How can I share the user-ID information between branch and HQ firewalls? Should I integrate all firewalls to all user-ID agents?

Thanks

Re: No of User ID agents for HQ and sites

Mick_Ball — Fri, 16 Mar 2018 12:27:42 GMT

let me just ask....

does branch 1 need to know about users at branch 2, etc... or does HQ just need to know about all other branches. (users)

Re: No of User ID agents for HQ and sites

reaper — Fri, 16 Mar 2018 13:21:21 GMT

-you can have all the branch firewalls set up with clientless user-id to the local AD, and have each firewall function as a UserID agent to the HQ location

-you can also install a User-ID agent on each location and then connect each local firewall to the local User-ID agent, and have the HQ firewall connect to all the User-ID agents

unless it's likely your users will make connections to other branches I wouldn't share user-id between branches, only with HQ

Re: No of User ID agents for HQ and sites

Mick_Ball — Fri, 16 Mar 2018 13:31:24 GMT

I would go with @reaper.

thats why I was asking about inter branch comms.

also.... seems pretty daft adding a windows agent to each branch because if the branch PA fails then your users are stuffed anyway...

Re: No of User ID agents for HQ and sites

OtakarKlier — Fri, 16 Mar 2018 16:32:24 GMT

Hello,

I have multiple remote locations and two datacenters. I have one agent in each data center and each PAN connectes to them for user-id. My agents are set to only look at exchange data since its updated very frequently and everyone runs Outlook clients. Works out really well. The agentless didnt work for us as we were running into a lot of wmi contention and alerts, we have the PAN's send out alerts for anything High and Critical hence the wmi alerts. Once we moved to the agents the alerts stopped and things are working properly.

Hope that helps.

Re: No of User ID agents for HQ and sites

faizankhurshid — Sat, 17 Mar 2018 08:11:24 GMT

@OtakarKlier thanks

So you have agents only in HQ and all firewalls (sites + HQ) using those agents?

In this case, how about bandwidth usage from each site firewall to user-ID agent in HQ?

Thanks

Re: No of User ID agents for HQ and sites

faizankhurshid — Sat, 17 Mar 2018 08:25:12 GMT

@reaper thanks. Approach 1 I believe is best as it will avoid the overhead of maintaining member servers and user-id agents in all branches.

How about if I use the user-ID agent only in HQ to monitor all DC servers (local in HQ + DC in branches). In this case,

1- How can I calculate the bandwidth requirement on WAN link for user-ID agent to each branch DC monitor? Each branch has different number of users like 300, 50 or maximum 1100

2- Is it possible that branch firewall can learn the user-IP mapping from HQ firewall or user-ID agent in HQ for their local subnets only?

Re: No of User ID agents for HQ and sites

Remo — Sat, 17 Mar 2018 13:17:36 GMT

Hi @faizankhurshid

If every byte of bandwidth matters then I don't recomment using a central windows user-id agent server, as with this method the whole security log from every DC will be transfered from the branche DC to the user-id agent server.

As far as I know there is no general calculation of the required bandwidth, as it really depends on the user behaviour. But to get your required bandwidth, you can do the following:

Windows User-ID agent: Check the size of the security log on the DCs and devide that by the time the log contains entries
Agentless User-ID: export the logs with the IDs 4768, 4769, 4770, 4624, check the size of these and divide this numbet by the time you have logs
Windows Log Forwarding: the same as with Agentless User-ID Agent

Of course with every transfer over the network there is also a (very) small percentage of overhead, but this probably does not matter that much.

So in case you want/need all the User-ID data from all locations in all locations I would use one of the following methods:

Agentless Setup: Configure your 7050 to query all the DCs
Windows User-ID Agent: configure the agent to query the main DCs directly and configure all the branch DCs to forward the required logs to this User-ID Agent server (as described here: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/deploy-user-id-for-numerous-mapping-information-sources)

My personal preference in your situation would be the agentless setup because of the lower complexity - there are less components/features involved, which means less possible situations where problems can happen.

But both of these methods will work and also in both cases you can configure the branch firewalls to fetch the User-ID data either from your 7050 or the windows user-id agent.

To your second question: this is kind of possible. In the zone configuration where you have to enable the user identification, you could configure the subnets that the firewall should use for user-id. But this is a second step I think, the firewall will still get all User-ID data from the HQ and then simply not use the ones that are not part of a configured subnet. Or if you go the way with configure every branch firewall to connect to the branch DCs, it is possible to configure the agentless user agent to only gather the user-ip mappings from the local subnets.

Regards,

Remo

Re: No of User ID agents for HQ and sites

OtakarKlier — Mon, 19 Mar 2018 15:05:20 GMT

Hello,

While I have not measured the actual bandwidth, its pretty small and not noticeable on our network.

Regards,

Re: No of User ID agents for HQ and sites

faizankhurshid — Mon, 26 Mar 2018 11:58:40 GMT

Thanks