03-16-2018 12:40 AM
Hi All
My network topology is like I have HQ with PA-7050 firewall and 3 domain controllers in HQ. I have 22 branches with local domain controller in each branch and firewall is PA-3050.
Now I want to deploy user-ID agent, In my scenario what is the best way to deploy user-ID agents. I am thinking below:
- Deploy one user-ID agent (with backup) in each branch on member server and monitor the local domain controller (branch DC)
- Deploy one user-ID agent (with backup) in HQ on member server and monitor the HQ domain controllers.
- How can I share the user-ID information between branch and HQ firewalls? Should I integrate all firewalls to all user-ID agents?
Thanks
03-17-2018 06:17 AM
If every byte of bandwidth matters then I don't recomment using a central windows user-id agent server, as with this method the whole security log from every DC will be transfered from the branche DC to the user-id agent server.
As far as I know there is no general calculation of the required bandwidth, as it really depends on the user behaviour. But to get your required bandwidth, you can do the following:
Of course with every transfer over the network there is also a (very) small percentage of overhead, but this probably does not matter that much.
So in case you want/need all the User-ID data from all locations in all locations I would use one of the following methods:
My personal preference in your situation would be the agentless setup because of the lower complexity - there are less components/features involved, which means less possible situations where problems can happen.
But both of these methods will work and also in both cases you can configure the branch firewalls to fetch the User-ID data either from your 7050 or the windows user-id agent.
To your second question: this is kind of possible. In the zone configuration where you have to enable the user identification, you could configure the subnets that the firewall should use for user-id. But this is a second step I think, the firewall will still get all User-ID data from the HQ and then simply not use the ones that are not part of a configured subnet. Or if you go the way with configure every branch firewall to connect to the branch DCs, it is possible to configure the agentless user agent to only gather the user-ip mappings from the local subnets.
Regards,
Remo
03-16-2018 05:27 AM
let me just ask....
does branch 1 need to know about users at branch 2, etc... or does HQ just need to know about all other branches. (users)
03-16-2018 06:21 AM
-you can have all the branch firewalls set up with clientless user-id to the local AD, and have each firewall function as a UserID agent to the HQ location
-you can also install a User-ID agent on each location and then connect each local firewall to the local User-ID agent, and have the HQ firewall connect to all the User-ID agents
unless it's likely your users will make connections to other branches I wouldn't share user-id between branches, only with HQ
03-16-2018 06:31 AM
I would go with @reaper.
thats why I was asking about inter branch comms.
also.... seems pretty daft adding a windows agent to each branch because if the branch PA fails then your users are stuffed anyway...
03-16-2018 09:32 AM
Hello,
I have multiple remote locations and two datacenters. I have one agent in each data center and each PAN connectes to them for user-id. My agents are set to only look at exchange data since its updated very frequently and everyone runs Outlook clients. Works out really well. The agentless didnt work for us as we were running into a lot of wmi contention and alerts, we have the PAN's send out alerts for anything High and Critical hence the wmi alerts. Once we moved to the agents the alerts stopped and things are working properly.
Hope that helps.
03-17-2018 01:11 AM
@OtakarKlier thanks
So you have agents only in HQ and all firewalls (sites + HQ) using those agents?
In this case, how about bandwidth usage from each site firewall to user-ID agent in HQ?
Thanks
03-17-2018 01:25 AM
@reaper thanks. Approach 1 I believe is best as it will avoid the overhead of maintaining member servers and user-id agents in all branches.
How about if I use the user-ID agent only in HQ to monitor all DC servers (local in HQ + DC in branches). In this case,
1- How can I calculate the bandwidth requirement on WAN link for user-ID agent to each branch DC monitor? Each branch has different number of users like 300, 50 or maximum 1100
2- Is it possible that branch firewall can learn the user-IP mapping from HQ firewall or user-ID agent in HQ for their local subnets only?
03-17-2018 06:17 AM
If every byte of bandwidth matters then I don't recomment using a central windows user-id agent server, as with this method the whole security log from every DC will be transfered from the branche DC to the user-id agent server.
As far as I know there is no general calculation of the required bandwidth, as it really depends on the user behaviour. But to get your required bandwidth, you can do the following:
Of course with every transfer over the network there is also a (very) small percentage of overhead, but this probably does not matter that much.
So in case you want/need all the User-ID data from all locations in all locations I would use one of the following methods:
My personal preference in your situation would be the agentless setup because of the lower complexity - there are less components/features involved, which means less possible situations where problems can happen.
But both of these methods will work and also in both cases you can configure the branch firewalls to fetch the User-ID data either from your 7050 or the windows user-id agent.
To your second question: this is kind of possible. In the zone configuration where you have to enable the user identification, you could configure the subnets that the firewall should use for user-id. But this is a second step I think, the firewall will still get all User-ID data from the HQ and then simply not use the ones that are not part of a configured subnet. Or if you go the way with configure every branch firewall to connect to the branch DCs, it is possible to configure the agentless user agent to only gather the user-ip mappings from the local subnets.
Regards,
Remo
03-19-2018 08:05 AM
Hello,
While I have not measured the actual bandwidth, its pretty small and not noticeable on our network.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
