Maximum number of UserID Agents for 4.1.x ?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Maximum number of UserID Agents for 4.1.x ?

Not applicable

Whats the maximum number of UserID agents that can be configured to talk to the firewall ?

ie. Will the firewall complain if we have 200+ userID agents configured to talk to it?

I know each agent can monitor a maximum of 100 domain controllers.. but how many agents can the firewall monitor?


L5 Sessionator


I've been unable to find a hard coded limit. I don't believe we restrict you to a certain number of agents connected to the firewall.

However, keep in mind that only one agent per domain actually connects to the firewall at a time.

In other words, having multiple user-id agents connected to 1 firewall for 1 domain will only provide redunancy in case one of the agents goes down.

If this doesn't quite answer what you're looking for, please let me know the environment you're going to be deploying and I can look for more specific information.


Jason Seals

L5 Sessionator

Of course I find the number right after posting.

"• Each UIA can connect to up to 100 Domain Controllers

• Each firewall can support up to 100 UIA’s

• Limit of 100 entries each in the Allow and Ignore list on the UIA"

In summary, it looks like we can have 100 agents connected.


Jason Seals

In 4.1, the agent can connect to 100 Domain Controllers.

My understanding is that the firewall will not read from more that one UIA at a time. One is Primary other is secondary, how would adding all the other agents help with user Identification?

Hi...If you have different domains with different AD forests (or without trust), you can use 1 agent per domain.  

Also, you can have 2+ agents per domain as needed.  Let's say you have 1 main location and 4 remote sites, each site has some DCs, and where WAN bandwidth is low.   You can deploy 1 agent per site to monitor its local DCs without crossing the WAN.   The PA firewall can talk to all 5 agents to gather UserIDs.


Ok in my situation I have 30 remote DC's with slower WAN links, I currently use 2 Pan agents to poll all 30, it works fairly well but I would say 20% of users get portaled on a regular basis. So if I install agents on all my DC's the PA could digest info from all of them? Is that recomeneded? I seem to get diffrent answers on this.


In general, deploying the agent near the DCs is to decrease the WAN bandwidth consumption by the agent.  If the consumed WAN bandwidth by the 2 agents polling your 30 DCs is not a problem for you, then I suggest leaving the 2 agents where they are.

20% of users get portaled - I assume you mean Captive Portal and 20% is prompted for authentication.  If so, you should extend the 'User Identification Timeout'.  If you're running version 4.1 agent, you can add your exchange server(s) to the list and have the agents monitor the exchange server(s) as well.


Hi Guys ,

I have a question ,

PAN Firewall have any limit with users from Ldap ?

PA 200  support the same numbers of users than PA 2050 ?

Best Regards.

Thiago Lima.

Hi...Yes, there are upper limits to every system based on system resources.  Can you be more specific on your questions?

Not applicable

I've heard the following may be documented on the Palo Alto internal KB:

Platform Capacity

Maximum number of pan-agents per vsys: 100

Maximum number of pan-agents per platform: 100

BUT I also revieved a reply to direct email recently stating that:

Thats it's 255 for user agent.

Terminal server agents are 255 except in the 5000 series where they can go up to 1000

And yes.. correct.. the reason for deploying many UserID agents (i.e locally installed at each remote site with domain controller) is to reduce the network/ bandwidth utilisation.

Whilst in theory the concept of having 2 central agents monitoring 100 domain controllers seems like a good solution.. unfortunately it doesnt account for common windows applications / active directory issues whereby sometimes users or computer accounts will begin authenticating 1000s of times (seemingly unnescarily) in the matter of a few seconds due to either poorly written applications or general issues with the windows operating system itself..  These excessive amount of successful authentication events which then have to be dragged across the network by the centrally located UserID agent can have a negative impact on the network if there is limited avaialble bandwidth on the WAN links.

Also PaloAltos UserID agent limitation that it can only monitor a maximum of 100 domain controllers each is a bit of a pain.. 

Given that we have over 130 domain controllers it would require a minimum of 4 UserID agents centrally installed to monitor all domain controllers (with redundancy). So either dedicating 4 new servers to this purpose or deploying to 4 existing random servers seems messy when compared to been able to package up and just push out the agent to all existing domain controllers with a identical config file for each.

  • 10 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!