No of User ID agents for HQ and sites

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

No of User ID agents for HQ and sites

L3 Networker

Hi All

 

My network topology is like I have HQ with PA-7050 firewall and 3 domain controllers in HQ. I have 22 branches with local domain controller in each branch and firewall is PA-3050.

 

Now I want to deploy user-ID agent, In my scenario what is the best way to deploy user-ID agents. I am thinking below:

 

- Deploy one user-ID agent (with backup) in each branch on member server and monitor the local domain controller (branch DC)

- Deploy one user-ID agent (with backup) in HQ on member server and monitor the HQ domain controllers. 

- How can I share the user-ID information between branch and HQ firewalls? Should I integrate all firewalls to all user-ID agents?

 

Thanks

1 accepted solution

Accepted Solutions

Hi @faizankhurshid

 

If every byte of bandwidth matters then I don't recomment using a central windows user-id agent server, as with this method the whole security log from every DC will be transfered from the branche DC to the user-id agent server.

As far as I know there is no general calculation of the required bandwidth, as it really depends on the user behaviour. But to get your required bandwidth, you can do the following:

  • Windows User-ID agent: Check the size of the security log on the DCs and devide that by the time the log contains entries
  • Agentless User-ID: export the logs with the IDs 4768, 4769, 4770, 4624, check the size of these and divide this numbet by the time you have logs
  • Windows Log Forwarding: the same as with Agentless User-ID Agent

Of course with every transfer over the network there is also a (very) small percentage of overhead, but this probably does not matter that much.

 

So in case you want/need all the User-ID data from all locations in all locations I would use one of the following methods:

My personal preference in your situation would be the agentless setup because of the lower complexity - there are less components/features involved, which means less possible situations where problems can happen.

But both of these methods will work and also in both cases you can configure the branch firewalls to fetch the User-ID data either from your 7050 or the windows user-id agent.

 

To your second question: this is kind of possible. In the zone configuration where you have to enable the user identification, you could configure the subnets that the firewall should use for user-id. But this is a second step I think, the firewall will still get all User-ID data from the HQ and then simply not use the ones that are not part of a configured subnet. Or if you go the way with configure every branch firewall to connect to the branch DCs, it is possible to configure the agentless user agent to only gather the user-ip mappings from the local subnets.

 

Regards,

Remo

View solution in original post

9 REPLIES 9

L7 Applicator

let me just ask....

 

does branch 1 need to know about users at branch 2, etc...    or does HQ just need to know about all other branches. (users)

 

 

Cyber Elite
Cyber Elite

-you can have all the branch firewalls set up with clientless user-id to the local AD, and have each firewall function as a UserID agent to the HQ location

-you can also install a User-ID agent on each location and then connect each local firewall to the local User-ID agent, and have the HQ firewall connect to all the User-ID agents

 

unless it's likely your users will make connections to other branches I wouldn't share user-id between branches, only with HQ

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I would go with @reaper.

 

thats why I was asking about inter branch comms.

 

also.... seems pretty daft adding a windows agent to each branch because if the branch PA fails then your users are stuffed anyway...

 

 

Hello,

I have multiple remote locations and two datacenters. I have one agent in each data center and each PAN connectes to them for user-id. My agents are set to only look at exchange data since its updated very frequently and everyone runs Outlook clients. Works out really well. The agentless didnt work for us as we were running into a lot of wmi contention and alerts, we have the PAN's send out alerts for anything High and Critical hence the wmi alerts. Once we moved to the agents the alerts stopped and things are working properly.

 

Hope that helps.

@OtakarKlier thanks

 

So you have agents only in HQ and all firewalls (sites + HQ) using those agents?

In this case, how about bandwidth usage from each site firewall to user-ID agent in HQ?

 

Thanks

@reaper thanks. Approach 1 I believe is best as it will avoid the overhead of maintaining member servers and user-id agents in all branches. 

 

How about if I use the user-ID agent only in HQ to monitor all DC servers (local in HQ + DC in branches). In this case, 

 

1- How can I calculate the bandwidth requirement on WAN link for user-ID agent to each branch DC monitor? Each branch has different number of users like 300, 50 or maximum 1100

 

2- Is it possible that branch firewall can learn the user-IP mapping from HQ firewall or user-ID agent in HQ for their local subnets only?

Hi @faizankhurshid

 

If every byte of bandwidth matters then I don't recomment using a central windows user-id agent server, as with this method the whole security log from every DC will be transfered from the branche DC to the user-id agent server.

As far as I know there is no general calculation of the required bandwidth, as it really depends on the user behaviour. But to get your required bandwidth, you can do the following:

  • Windows User-ID agent: Check the size of the security log on the DCs and devide that by the time the log contains entries
  • Agentless User-ID: export the logs with the IDs 4768, 4769, 4770, 4624, check the size of these and divide this numbet by the time you have logs
  • Windows Log Forwarding: the same as with Agentless User-ID Agent

Of course with every transfer over the network there is also a (very) small percentage of overhead, but this probably does not matter that much.

 

So in case you want/need all the User-ID data from all locations in all locations I would use one of the following methods:

My personal preference in your situation would be the agentless setup because of the lower complexity - there are less components/features involved, which means less possible situations where problems can happen.

But both of these methods will work and also in both cases you can configure the branch firewalls to fetch the User-ID data either from your 7050 or the windows user-id agent.

 

To your second question: this is kind of possible. In the zone configuration where you have to enable the user identification, you could configure the subnets that the firewall should use for user-id. But this is a second step I think, the firewall will still get all User-ID data from the HQ and then simply not use the ones that are not part of a configured subnet. Or if you go the way with configure every branch firewall to connect to the branch DCs, it is possible to configure the agentless user agent to only gather the user-ip mappings from the local subnets.

 

Regards,

Remo

Hello,

While I have not measured the actual bandwidth, its pretty small and not noticeable on our network.

 

Regards,

Thanks

  • 1 accepted solution
  • 3463 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!