Whats the maximum number of UserID agents that can be configured to talk to the firewall ?
ie. Will the firewall complain if we have 200+ userID agents configured to talk to it?
I know each agent can monitor a maximum of 100 domain controllers.. but how many agents can the firewall monitor?
I've been unable to find a hard coded limit. I don't believe we restrict you to a certain number of agents connected to the firewall.
However, keep in mind that only one agent per domain actually connects to the firewall at a time.
In other words, having multiple user-id agents connected to 1 firewall for 1 domain will only provide redunancy in case one of the agents goes down.
If this doesn't quite answer what you're looking for, please let me know the environment you're going to be deploying and I can look for more specific information.
Of course I find the number right after posting.
"• Each UIA can connect to up to 100 Domain Controllers
• Each firewall can support up to 100 UIA’s
• Limit of 100 entries each in the Allow and Ignore list on the UIA"
In summary, it looks like we can have 100 agents connected.
In 4.1, the agent can connect to 100 Domain Controllers.
My understanding is that the firewall will not read from more that one UIA at a time. One is Primary other is secondary, how would adding all the other agents help with user Identification?
Hi...If you have different domains with different AD forests (or without trust), you can use 1 agent per domain.
Also, you can have 2+ agents per domain as needed. Let's say you have 1 main location and 4 remote sites, each site has some DCs, and where WAN bandwidth is low. You can deploy 1 agent per site to monitor its local DCs without crossing the WAN. The PA firewall can talk to all 5 agents to gather UserIDs.
Ok in my situation I have 30 remote DC's with slower WAN links, I currently use 2 Pan agents to poll all 30, it works fairly well but I would say 20% of users get portaled on a regular basis. So if I install agents on all my DC's the PA could digest info from all of them? Is that recomeneded? I seem to get diffrent answers on this.
In general, deploying the agent near the DCs is to decrease the WAN bandwidth consumption by the agent. If the consumed WAN bandwidth by the 2 agents polling your 30 DCs is not a problem for you, then I suggest leaving the 2 agents where they are.
20% of users get portaled - I assume you mean Captive Portal and 20% is prompted for authentication. If so, you should extend the 'User Identification Timeout'. If you're running version 4.1 agent, you can add your exchange server(s) to the list and have the agents monitor the exchange server(s) as well.
I've heard the following may be documented on the Palo Alto internal KB:
Maximum number of pan-agents per vsys: 100
Maximum number of pan-agents per platform: 100
BUT I also revieved a reply to direct email recently stating that:
Thats it's 255 for user agent.
Terminal server agents are 255 except in the 5000 series where they can go up to 1000
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!