Integrated User-ID Agent vs. Windows Service?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Integrated User-ID Agent vs. Windows Service?

L4 Transporter

We're running 5.1 right now and plan on upgrading to 6.1 over the next couple of days.

Historically we've used the Windows User Agent on two of our domain controllers, but today I switched to the on-board Integrated User-ID Agent and set it up, and other than a noticeable increase in CPU load on the domain controllers, everything is working great (so far Smiley Happy).

What is the "best practise" around this please?

Right now our Palo Alto is in the same rack as 2 of our DCs and there is another DC at a remote site but the User-ID agent traffic has to cross a WAN link for that regardless of the method we use.

5 REPLIES 5

L7 Applicator

There is a pretty full Best Practices documentation here.

User-ID Best Practices - PAN-OS

But they don't go on record as preferring either agent or agentless as the method in AD.  Personally, I would use the installed agent whenever practical and agentless as the fallback.  This distributes the work load on the process.  But I recognize there there is not much practical difference between the two which is probably why Palo Alto does not have a recommendation either way.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L0 Member

To cut down on WAN traffic you might want to install UIA on member server near the remote DC.  That way only IP address, username and timestamps are sent across the WAN link.

L6 Presenter

The agentless FW integrated monitoring only allows for <100 DCs to be monitored.

 

What's the circuit bandwidth at the 1 remote site you have?  Our deployment has over 140 remote sites with over 160 DCs.

 

We roll-up all remote site DC logs to a central location and those DC logs don't have an impact on circuit utilization.

I can share my experience with the windows agent.

 

The bandwidth between the agent and a DC is really going to depend on how busy the security log is on that DC. I've got the Windows User-ID agent running aganist 10 DC's and two exchange servers servicing about 1500 users across multiple sites. 

 

The Windows User-ID agent has a solid 2.2mb/sec of user-id syncing traffic on it's interface it 24/7. I remember it jumped from 1.9mb/sec to 2.2mb/sec when I added the two exchange servers .

 

It's tough to parse out exactly, but the DC with maybe 25 users authenticating aganist it is pulling around 40kb/sec over the WAN. There's one really busy DC that's doing 200kb/sec. That one is local to the agent, thank goodness.

 

Because these are mostly under utilized gig WAN links, I'm fine with the not-insignifigant WAN usage, but not everyone has WAN bandwidth to waste,

 

One big difference between the Integragrated User-ID agent and the Windows Service is the integrated agent queires specifically for the login event-id log entries. The service-based agent grabs the full security log, which makes for much higher bw utilization. 

 

If you don't want to install agents at your smaller remote sites (say, smaller than 100 active users), consider using the more efficient integrated agent for some of the WAN sites and a windows agent for exchange servers, and those DC's with ample bandwidth. 

 

If you have over 140 remote DC's, that could be anywere from 5 to 15mb/sec in total on your WAN, depending on how big those remote sites are. And if you were doing your querying from a single windows user-id agent. That's probably not the way to go!

 

Hope that helps

L5 Sessionator

Hi,

 

general recommendation is that for anything more than 1000 users in your network you should offload UserID service from the firewall to the agent installed on the server (do not use agentless for more than 1000 users). Way to offload your existing busy servers is to install separate a server that will be handling only UserID, or a few if one can't handle it gracefully.

 

Recommendation above is coming from Palo Alto Networks and is based on mp/dp resources, using agent rather than agentless is more graceful both on Windows and firewalls due to difference in how calls are made. It is just not written in manual because your mileage may vary depending on the firewall setup, you might be able to poll considerably more users in some corner cases. CPU will decrease with Agent on the Windows server as well, due to the nature of calls (RPC vs. WMI, as far as I can remember, but that needs to be checked to be sure, and CPU will decrease for sure).

 

Hope it helps a bit. Regards,

 

Luciano

  • 7162 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!