Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PAN AGENT CAPACITY BY VSYS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN AGENT CAPACITY BY VSYS

L3 Networker

hello,

I have seen the following information for pan agent capacity

Capacity

User Identification capacity limits:

• The PA-4000 series can support up to 64,000 concurrent users; the PA-2000 series can

support up to 47,000 concurrent users.

• Up to 640 groups can be used in policies for each virtual system (vsys)

• Each UIA can connect to up to 10 Domain Controllers

Each firewall can support up to 100 UIA’s

Limit of 100 entries each in the Allow and Ignore list on the UIA

• Only 1 NTLM handshake can be in process between a UIA and AD server at a time

And I have the following question : the support of 100 user id agent is for each VSYS or Globally?? because in 4.0 you can not shared pan-agent configuration. And if you have 10 VSYS with 12 PAN AGENT we must configure 120 PAN AGENT on your PA.

thanks for your answer,

Alex

3 REPLIES 3

L6 Presenter

I think this is in total.

VSYS in PAN (and most other devices for that matter) is just to segment the dataplane. You still have a single mgmtplane and its the mgmtplane who does the User-ID Agent identification and stuff.

mikand I confirm, this is in total! when I create more than 100 pan agent I see the following message:


Server error :  constraints failed : No. of agents configured exceeds maximum allowed(100)
[edit]

Not applicable

Another point .. this information is perhaps out of date  "Each UIA can connect to up to 10 Domain Controllers"

The older 3.x UIA Agents by "default" would monitor only 10 domain controllers, but if you manually edited the XML config file you could get them to monitor 100  e.g <max-dc>100</max-dc>

I believe the new 4.x UIA have this setting by default now.

  • 2229 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!