https://live.paloaltonetworks.com/t5/general-topics/user-id-for-large-scale-deployment/m-p/411805#M92766 <P>do you have DC's at each of these sites...&nbsp; &nbsp;there are various figures flying around but you need to consider what is at each location.&nbsp; if you have a palo at each location then use local agent to local DC. we have 8 DC's for 8 k user base and we just went for 1 server agent at each of our 2 major sites on dedicated windoze boxes and never had any issues.&nbsp; we do have 200 remote small sites but they all stream back to our major sites.</P><P>&nbsp;</P><P>perhaps an overview of your setup would help....</P><P>&nbsp;</P><P>this kinda keeps the busy end away from the palo's and the DC's&nbsp;</P> Tue, 08 Jun 2021 15:48:17 GMT Mick_Ball 2021-06-08T15:48:17Z https://live.paloaltonetworks.com/t5/general-topics/user-id-for-large-scale-deployment/m-p/411683#M92753 <P>Hi,</P><P>We have planned to implement user based policy in PA and we have roughly around 5k users across different locations with multiple controller as we have two options,</P><P>1. Dedicated windows based user-id agent</P><P>2. Palo alto Integrated user-id agent</P><P>among these two which one is best for production with 5K+ users&nbsp; and what is best practice for deploying the same&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Siva&nbsp;</P> Tue, 08 Jun 2021 06:54:57 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-for-large-scale-deployment/m-p/411683#M92753 nkmehta 2021-06-08T06:54:57Z https://live.paloaltonetworks.com/t5/general-topics/user-id-for-large-scale-deployment/m-p/411805#M92766 <P>do you have DC's at each of these sites...&nbsp; &nbsp;there are various figures flying around but you need to consider what is at each location.&nbsp; if you have a palo at each location then use local agent to local DC. we have 8 DC's for 8 k user base and we just went for 1 server agent at each of our 2 major sites on dedicated windoze boxes and never had any issues.&nbsp; we do have 200 remote small sites but they all stream back to our major sites.</P><P>&nbsp;</P><P>perhaps an overview of your setup would help....</P><P>&nbsp;</P><P>this kinda keeps the busy end away from the palo's and the DC's&nbsp;</P> Tue, 08 Jun 2021 15:48:17 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-for-large-scale-deployment/m-p/411805#M92766 Mick_Ball 2021-06-08T15:48:17Z https://live.paloaltonetworks.com/t5/general-topics/user-id-for-large-scale-deployment/m-p/411979#M92783 <P>To not have much load on the firewalls the Dedicated windows based user-id agent is better than the integrated one.</P><P>&nbsp;</P><P>Also you can use user redistribution so that the firewalls that are not infront of the users will get this data from the other edge firewalls if they can't directly connect to the windows agent. You can read this if interested:</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/ip-and-user-tag-mappings-redistribution-for-dag-dug/m-p/393030#M90970" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/ip-and-user-tag-mappings-redistribution-for-dag-dug/m-p/393030#M90970</A></P> Wed, 09 Jun 2021 07:10:58 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-for-large-scale-deployment/m-p/411979#M92783 nikoolayy1 2021-06-09T07:10:58Z