Maximum number of UserID Agents for 4.1.x ?

Reply
Highlighted
Not applicable

Maximum number of UserID Agents for 4.1.x ?

Whats the maximum number of UserID agents that can be configured to talk to the firewall ?

ie. Will the firewall complain if we have 200+ userID agents configured to talk to it?

I know each agent can monitor a maximum of 100 domain controllers.. but how many agents can the firewall monitor?

Highlighted
L5 Sessionator

Hello,

I've been unable to find a hard coded limit. I don't believe we restrict you to a certain number of agents connected to the firewall.

However, keep in mind that only one agent per domain actually connects to the firewall at a time.

In other words, having multiple user-id agents connected to 1 firewall for 1 domain will only provide redunancy in case one of the agents goes down.

If this doesn't quite answer what you're looking for, please let me know the environment you're going to be deploying and I can look for more specific information.

Thanks,

Jason Seals

Highlighted
L5 Sessionator

Of course I find the number right after posting.

"• Each UIA can connect to up to 100 Domain Controllers

• Each firewall can support up to 100 UIA’s

• Limit of 100 entries each in the Allow and Ignore list on the UIA"

In summary, it looks like we can have 100 agents connected.

Thanks,

Jason Seals

In 4.1, the agent can connect to 100 Domain Controllers.

Highlighted
L1 Bithead

My understanding is that the firewall will not read from more that one UIA at a time. One is Primary other is secondary, how would adding all the other agents help with user Identification?

Highlighted
L6 Presenter

Hi...If you have different domains with different AD forests (or without trust), you can use 1 agent per domain.  


Also, you can have 2+ agents per domain as needed.  Let's say you have 1 main location and 4 remote sites, each site has some DCs, and where WAN bandwidth is low.   You can deploy 1 agent per site to monitor its local DCs without crossing the WAN.   The PA firewall can talk to all 5 agents to gather UserIDs.


Thanks.

Highlighted
L1 Bithead

Ok in my situation I have 30 remote DC's with slower WAN links, I currently use 2 Pan agents to poll all 30, it works fairly well but I would say 20% of users get portaled on a regular basis. So if I install agents on all my DC's the PA could digest info from all of them? Is that recomeneded? I seem to get diffrent answers on this.

thanks

Highlighted
L6 Presenter

In general, deploying the agent near the DCs is to decrease the WAN bandwidth consumption by the agent.  If the consumed WAN bandwidth by the 2 agents polling your 30 DCs is not a problem for you, then I suggest leaving the 2 agents where they are.

20% of users get portaled - I assume you mean Captive Portal and 20% is prompted for authentication.  If so, you should extend the 'User Identification Timeout'.  If you're running version 4.1 agent, you can add your exchange server(s) to the list and have the agents monitor the exchange server(s) as well.

Thanks.

Highlighted
L3 Networker

Hi Guys ,


I have a question ,

PAN Firewall have any limit with users from Ldap ?

PA 200  support the same numbers of users than PA 2050 ?

Best Regards.

Thiago Lima.

Highlighted
L6 Presenter

Hi...Yes, there are upper limits to every system based on system resources.  Can you be more specific on your questions?

Highlighted
Not applicable

I've heard the following may be documented on the Palo Alto internal KB:

Platform Capacity

Maximum number of pan-agents per vsys: 100

Maximum number of pan-agents per platform: 100

BUT I also revieved a reply to direct email recently stating that:

Thats it's 255 for user agent.

Terminal server agents are 255 except in the 5000 series where they can go up to 1000

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!