topic Maximum number of UserID Agents for 4.1.x ? in General Topics

Maximum number of UserID Agents for 4.1.x ?

ucteam — Tue, 20 Mar 2012 05:35:46 GMT

Whats the maximum number of UserID agents that can be configured to talk to the firewall ?

ie. Will the firewall complain if we have 200+ userID agents configured to talk to it?

I know each agent can monitor a maximum of 100 domain controllers.. but how many agents can the firewall monitor?

Re: Maximum number of UserID Agents for 4.1.x ?

jseals — Sat, 24 Mar 2012 00:10:49 GMT

Hello,

I've been unable to find a hard coded limit. I don't believe we restrict you to a certain number of agents connected to the firewall.

However, keep in mind that only one agent per domain actually connects to the firewall at a time.

In other words, having multiple user-id agents connected to 1 firewall for 1 domain will only provide redunancy in case one of the agents goes down.

If this doesn't quite answer what you're looking for, please let me know the environment you're going to be deploying and I can look for more specific information.

Thanks,

Jason Seals

Re: Maximum number of UserID Agents for 4.1.x ?

jseals — Sat, 24 Mar 2012 00:21:04 GMT

Of course I find the number right after posting.

"• Each UIA can connect to up to 100 Domain Controllers

• Each firewall can support up to 100 UIA’s

• Limit of 100 entries each in the Allow and Ignore list on the UIA"

In summary, it looks like we can have 100 agents connected.

Thanks,

Jason Seals

In 4.1, the agent can connect to 100 Domain Controllers.

Re: Maximum number of UserID Agents for 4.1.x ?

pperrotta — Mon, 26 Mar 2012 18:08:30 GMT

My understanding is that the firewall will not read from more that one UIA at a time. One is Primary other is secondary, how would adding all the other agents help with user Identification?

Re: Maximum number of UserID Agents for 4.1.x ?

rmonvon — Mon, 26 Mar 2012 20:36:40 GMT

Hi...If you have different domains with different AD forests (or without trust), you can use 1 agent per domain.

Also, you can have 2+ agents per domain as needed. Let's say you have 1 main location and 4 remote sites, each site has some DCs, and where WAN bandwidth is low. You can deploy 1 agent per site to monitor its local DCs without crossing the WAN. The PA firewall can talk to all 5 agents to gather UserIDs.

Thanks.

Re: Maximum number of UserID Agents for 4.1.x ?

pperrotta — Mon, 26 Mar 2012 21:07:29 GMT

Ok in my situation I have 30 remote DC's with slower WAN links, I currently use 2 Pan agents to poll all 30, it works fairly well but I would say 20% of users get portaled on a regular basis. So if I install agents on all my DC's the PA could digest info from all of them? Is that recomeneded? I seem to get diffrent answers on this.

thanks

Re: Maximum number of UserID Agents for 4.1.x ?

rmonvon — Mon, 26 Mar 2012 22:48:16 GMT

In general, deploying the agent near the DCs is to decrease the WAN bandwidth consumption by the agent. If the consumed WAN bandwidth by the 2 agents polling your 30 DCs is not a problem for you, then I suggest leaving the 2 agents where they are.

20% of users get portaled - I assume you mean Captive Portal and 20% is prompted for authentication. If so, you should extend the 'User Identification Timeout'. If you're running version 4.1 agent, you can add your exchange server(s) to the list and have the agents monitor the exchange server(s) as well.

Thanks.

Re: Maximum number of UserID Agents for 4.1.x ?

Thiago — Tue, 27 Mar 2012 12:45:58 GMT

Hi Guys ,

I have a question ,

PAN Firewall have any limit with users from Ldap ?

PA 200 support the same numbers of users than PA 2050 ?

Best Regards.

Thiago Lima.

Re: Maximum number of UserID Agents for 4.1.x ?

rmonvon — Wed, 28 Mar 2012 19:19:42 GMT

Hi...Yes, there are upper limits to every system based on system resources. Can you be more specific on your questions?

Re: Maximum number of UserID Agents for 4.1.x ?

ucteam — Sun, 01 Apr 2012 10:34:34 GMT

I've heard the following may be documented on the Palo Alto internal KB:

Platform Capacity

Maximum number of pan-agents per vsys: 100

Maximum number of pan-agents per platform: 100

BUT I also revieved a reply to direct email recently stating that:

Thats it's 255 for user agent.

Terminal server agents are 255 except in the 5000 series where they can go up to 1000

Re: Maximum number of UserID Agents for 4.1.x ?

ucteam — Sun, 01 Apr 2012 13:01:22 GMT

And yes.. correct.. the reason for deploying many UserID agents (i.e locally installed at each remote site with domain controller) is to reduce the network/ bandwidth utilisation.

Whilst in theory the concept of having 2 central agents monitoring 100 domain controllers seems like a good solution.. unfortunately it doesnt account for common windows applications / active directory issues whereby sometimes users or computer accounts will begin authenticating 1000s of times (seemingly unnescarily) in the matter of a few seconds due to either poorly written applications or general issues with the windows operating system itself.. These excessive amount of successful authentication events which then have to be dragged across the network by the centrally located UserID agent can have a negative impact on the network if there is limited avaialble bandwidth on the WAN links.

Also PaloAltos UserID agent limitation that it can only monitor a maximum of 100 domain controllers each is a bit of a pain..

Given that we have over 130 domain controllers it would require a minimum of 4 UserID agents centrally installed to monitor all domain controllers (with redundancy). So either dedicating 4 new servers to this purpose or deploying to 4 existing random servers seems messy when compared to been able to package up and just push out the agent to all existing domain controllers with a identical config file for each.