Questioning about agentless user-id.

L3 Networker

Questioning about agentless user-id.

Hello!

I have questions about user-id functions.

1. How much user-id be supported by agent-less user-id? I guess that 64K user-id and 640 user-group would be supported on all of PAN model. right?

2. When using user-id collector, How much user-id and user-group be supported by agent-less user-id for receiving all of user-id and user-group from other FWs? 64K user-id and 640 user-group be supported?

3. How many domain and DC be supported on user-id collector environment? Only 20 DC and 8 Different Domains be supported?

4. When Using User-ID Collector would support so many user-id, user-group Is it makes a problem of performance for MGMT of FWs?

5. I know that command "show user ip-user-mappling all" would show mapping user for DataPlane and "show user ip-user-mapping-mp all" would show mapping user for Management Plane? What's different for both of command? When should I check for user-mapping for MP or DP?

Thanks

Regards,

Roh

L5 Sessionator

Re: Questioning about agentless user-id.

1. How much user-id be supported by agent-less user-id? I guess that 64K user-id and 640 user-group would be supported on all of PAN model. right?

Right

2. When using user-id collector, How much user-id and user-group be supported by agent-less user-id for receiving all of user-id and user-group from other FWs? 64K user-id and 640 user-group be supported?

Right

3. How many domain and DC be supported on user-id collector environment? Only 20 DC and 8 Different Domains be supported?


Approximate Numbers:

Agentless: Small/Medium-sized Deployments and  LAB Environments

Monitoring up to 20 Domain controllers and/or Exchange servers.

User-ID Agent : Large Deployments

Monitoring up 100 Domain controllers and/or Exchange servers

4. When Using User-ID Collector would support so many user-id, user-group Is it makes a problem of performance for MGMT of FWs?

Using the User-ID feature to its max capacity would increase the MP CPU but should not affect the Managment Access to the FW.

5. I know that command "show user ip-user-mapping all" would show mapping user for DataPlane and "show user ip-user-mapping-mp all" would show mapping user for Management Plane? What's different for both of the command? When should I check for user-mapping for MP or DP?

DP reads User ID info from MP ,so while debugging User-ID related issues start with MP related command  (show user ip-user-mapping-mp all).

L3 Networker

Re: Questioning about agentless user-id.

Hi Nadir,

Great Answer!! Thanks a lot.

Have a good day.

Regards,

Roh

L1 Bithead

Re: Questioning about agentless user-id.

Hi,

Thanks you for your information and I have some questions as following:

Number of user-ip-mappings supported and user-id agentless buffer question

Best Regards,

Pisek B.

L2 Linker

Re: Questioning about agentless user-id.

Hi Ameya,

In case of the a single Domian forest.let say we are going with agent based user-id deployment. there is a constraint of the number of user group that the Palo Alto FW's can parse right. I am assuming 640 user groups for 7.0 version and 10k for 8.0 version. what if we have user group count over 10k scenarios how can you do the user group mapping in such cases. 

L7 Applicator

Re: Questioning about agentless user-id.

@Sanssj,

You have over 10k different user groups being services by a single firewall? 

L4 Transporter

Re: Questioning about agentless user-id.

Keep in mind, the firewall does not monitor every group in the domain, only those it is configured to.

L7 Applicator

Re: Questioning about agentless user-id.


@JoeAndreini wrote:

Keep in mind, the firewall does not monitor every group in the domain, only those it is configured to.


... if you restrict the monitored groups with an ldap filter or specify them one by one in the group mapping settings ;)

L2 Linker

Re: Questioning about agentless user-id.

Yeah we do have a single AD forest. which has over 13k user groups. we are finding a optimum way to query the necessary groups instead of each and evry group. include list is not a feasible solution at this point. I am exploring ways to see how to achieve this.

L7 Applicator

Re: Questioning about agentless user-id.

@Sanssj

In this case you need a good naming concept for AD groups, so you could specify a simple LDAP filter to import the required groups ... or a little more complex LDAP filter. But this is probably the only way

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!