https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/220049#M63496 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83021">@JoeAndreini</a>&nbsp;wrote:<BR /><P>Keep in mind, the firewall does not monitor every group in the domain, only those it is configured to.</P><HR /></BLOCKQUOTE><P>... if you restrict the monitored groups with an ldap filter or specify them one by one in the group mapping settings <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sun, 01 Jul 2018 18:20:20 GMT Remo 2018-07-01T18:20:20Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/48545#M35740 <HTML><HEAD></HEAD><BODY><P>Hello!</P><P>I have questions about user-id functions.</P><P></P><P>1. How much user-id be supported by agent-less user-id? I guess that 64K user-id and 640 user-group would be supported on all of PAN model. right?</P><P></P><P>2. When using user-id collector, How much user-id and user-group be supported by agent-less user-id for receiving all of user-id and user-group from other FWs? 64K user-id and 640 user-group be supported?</P><P></P><P>3. How many domain and DC be supported on user-id collector environment? Only 20 DC and 8 Different Domains be supported?</P><P></P><P>4. When Using User-ID Collector would support so many user-id, user-group Is it makes a problem of performance for MGMT of FWs?</P><P></P><P>5. I know that command "show user ip-user-mappling all" would show mapping user for DataPlane and "show user ip-user-mapping-mp all" would show mapping user for Management Plane? What's different for both of command? When should I check for user-mapping for MP or DP?</P><P></P><P>Thanks</P><P>Regards,</P><P>Roh</P></BODY></HTML> Mon, 19 Aug 2013 05:32:56 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/48545#M35740 Retired Member 2013-08-19T05:32:56Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/48546#M35741 <HTML><HEAD></HEAD><BODY><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">1. How much user-id be supported by agent-less user-id? I guess that 64K user-id and 640 user-group would be supported on all of PAN model. right?</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><STRONG>Right</STRONG></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">2. When using user-id collector, How much user-id and user-group be supported by agent-less user-id for receiving all of user-id and user-group from other FWs? 64K user-id and 640 user-group be supported?</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><STRONG>Right</STRONG></SPAN></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">3. How many domain and DC be supported on user-id collector environment? Only 20 DC and 8 Different Domains be supported?</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN style="font-style: inherit; font-family: inherit; text-decoration: underline;"><STRONG style="font-style: inherit; font-family: inherit;"><BR /></STRONG></SPAN></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN style="font-style: inherit; font-family: inherit; text-decoration: underline;"><STRONG style="font-style: inherit; font-family: inherit;">Approximate Numbers:</STRONG></SPAN> </P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN style="font-style: inherit; font-family: inherit; text-decoration: underline;"><STRONG style="font-style: inherit; font-family: inherit;">Agentless: </STRONG></SPAN>Small/Medium-sized Deployments and&nbsp; LAB Environments</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Monitoring up to 20 Domain controllers and/or Exchange servers. </P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN style="font-style: inherit; font-family: inherit; text-decoration: underline;"><STRONG style="font-style: inherit; font-family: inherit;">User-ID Agent</STRONG></SPAN><STRONG style="font-style: inherit; font-family: inherit;"> :</STRONG> Large Deployments</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Monitoring up 100 Domain controllers and/or Exchange servers</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">4. When Using User-ID Collector would support so many user-id, user-group Is it makes a problem of performance for MGMT of FWs?</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><STRONG>Using the User-ID feature to its max capacity would increase the MP CPU but should not affect the Managment Access to the FW.</STRONG></P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">5. I know that command "show user ip-user-mapping all" would show mapping user for DataPlane and "show user ip-user-mapping-mp all" would show mapping user for Management Plane? What's different for both of the command? When should I check for user-mapping for MP or DP?</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><STRONG>DP reads User ID info from MP ,so while debugging User-ID related issues start with MP related command&nbsp; (<SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">show user </SPAN>ip-user-mapping-mp all).</STRONG></P></BODY></HTML> Mon, 19 Aug 2013 09:20:15 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/48546#M35741 UhMayYeah 2013-08-19T09:20:15Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/48547#M35742 <HTML><HEAD></HEAD><BODY><P>Hi Nadir,</P><P></P><P>Great Answer!! Thanks a lot.</P><P>Have a good day.</P><P></P><P>Regards,</P><P>Roh</P></BODY></HTML> Mon, 19 Aug 2013 09:53:07 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/48547#M35742 Retired Member 2013-08-19T09:53:07Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/48548#M35743 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Thanks you for your information and I have some questions as following:</P><P><A href="https://live.paloaltonetworks.com/thread/12764">Number of user-ip-mappings supported and user-id agentless buffer question</A></P><P></P><P>Best Regards,</P><P>Pisek B.</P></BODY></HTML> Fri, 13 Mar 2015 08:00:05 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/48548#M35743 PisekBootta 2015-03-13T08:00:05Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/219506#M63384 <P>Hi Ameya,<BR /><BR />In case of the a single Domian forest.let say we are going with agent based user-id deployment. there is a constraint of the number of user group that the Palo Alto FW's can parse right. I am assuming 640 user groups for 7.0 version and 10k for 8.0 version. what if we have user group count over 10k scenarios how can you do the user group mapping in such cases.&nbsp;</P> Wed, 27 Jun 2018 15:27:30 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/219506#M63384 Sanssj 2018-06-27T15:27:30Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/219510#M63386 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/91991">@Sanssj</a>,</P><P>You have over 10k different user groups being services by a single firewall?&nbsp;</P> Wed, 27 Jun 2018 15:40:41 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/219510#M63386 BPry 2018-06-27T15:40:41Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/219516#M63389 <P>Keep in mind, the firewall does not monitor every group in the domain, only those it is configured to.</P> Wed, 27 Jun 2018 16:29:09 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/219516#M63389 JoeAndreini 2018-06-27T16:29:09Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/220049#M63496 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83021">@JoeAndreini</a>&nbsp;wrote:<BR /><P>Keep in mind, the firewall does not monitor every group in the domain, only those it is configured to.</P><HR /></BLOCKQUOTE><P>... if you restrict the monitored groups with an ldap filter or specify them one by one in the group mapping settings <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sun, 01 Jul 2018 18:20:20 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/220049#M63496 Remo 2018-07-01T18:20:20Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/220063#M63503 <P>Yeah we do have a single AD forest. which has over 13k user groups. we are finding a optimum way to query the necessary groups instead of each and evry group. include list is not a feasible solution at this point. I am exploring ways to see how to achieve this.</P> Sun, 01 Jul 2018 22:02:53 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/220063#M63503 Sanssj 2018-07-01T22:02:53Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/220064#M63504 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/91991">@Sanssj</a></P><P>In this case you need a good naming concept for AD groups, so you could specify a simple LDAP filter to import the required groups ... or a little more complex LDAP filter. But this is probably the only way</P> Sun, 01 Jul 2018 23:15:50 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-agentless-user-id/m-p/220064#M63504 Remo 2018-07-01T23:15:50Z