- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-18-2013 10:32 PM
Hello!
I have questions about user-id functions.
1. How much user-id be supported by agent-less user-id? I guess that 64K user-id and 640 user-group would be supported on all of PAN model. right?
2. When using user-id collector, How much user-id and user-group be supported by agent-less user-id for receiving all of user-id and user-group from other FWs? 64K user-id and 640 user-group be supported?
3. How many domain and DC be supported on user-id collector environment? Only 20 DC and 8 Different Domains be supported?
4. When Using User-ID Collector would support so many user-id, user-group Is it makes a problem of performance for MGMT of FWs?
5. I know that command "show user ip-user-mappling all" would show mapping user for DataPlane and "show user ip-user-mapping-mp all" would show mapping user for Management Plane? What's different for both of command? When should I check for user-mapping for MP or DP?
Thanks
Regards,
Roh
08-19-2013 02:20 AM
1. How much user-id be supported by agent-less user-id? I guess that 64K user-id and 640 user-group would be supported on all of PAN model. right?
Right
2. When using user-id collector, How much user-id and user-group be supported by agent-less user-id for receiving all of user-id and user-group from other FWs? 64K user-id and 640 user-group be supported?
Right
3. How many domain and DC be supported on user-id collector environment? Only 20 DC and 8 Different Domains be supported?
Approximate Numbers:
Agentless: Small/Medium-sized Deployments and LAB Environments
Monitoring up to 20 Domain controllers and/or Exchange servers.
User-ID Agent : Large Deployments
Monitoring up 100 Domain controllers and/or Exchange servers
4. When Using User-ID Collector would support so many user-id, user-group Is it makes a problem of performance for MGMT of FWs?
Using the User-ID feature to its max capacity would increase the MP CPU but should not affect the Managment Access to the FW.
5. I know that command "show user ip-user-mapping all" would show mapping user for DataPlane and "show user ip-user-mapping-mp all" would show mapping user for Management Plane? What's different for both of the command? When should I check for user-mapping for MP or DP?
DP reads User ID info from MP ,so while debugging User-ID related issues start with MP related command (show user ip-user-mapping-mp all).
08-19-2013 02:20 AM
1. How much user-id be supported by agent-less user-id? I guess that 64K user-id and 640 user-group would be supported on all of PAN model. right?
Right
2. When using user-id collector, How much user-id and user-group be supported by agent-less user-id for receiving all of user-id and user-group from other FWs? 64K user-id and 640 user-group be supported?
Right
3. How many domain and DC be supported on user-id collector environment? Only 20 DC and 8 Different Domains be supported?
Approximate Numbers:
Agentless: Small/Medium-sized Deployments and LAB Environments
Monitoring up to 20 Domain controllers and/or Exchange servers.
User-ID Agent : Large Deployments
Monitoring up 100 Domain controllers and/or Exchange servers
4. When Using User-ID Collector would support so many user-id, user-group Is it makes a problem of performance for MGMT of FWs?
Using the User-ID feature to its max capacity would increase the MP CPU but should not affect the Managment Access to the FW.
5. I know that command "show user ip-user-mapping all" would show mapping user for DataPlane and "show user ip-user-mapping-mp all" would show mapping user for Management Plane? What's different for both of the command? When should I check for user-mapping for MP or DP?
DP reads User ID info from MP ,so while debugging User-ID related issues start with MP related command (show user ip-user-mapping-mp all).
08-19-2013 02:53 AM
Hi Nadir,
Great Answer!! Thanks a lot.
Have a good day.
Regards,
Roh
03-13-2015 01:00 AM
Hi,
Thanks you for your information and I have some questions as following:
Number of user-ip-mappings supported and user-id agentless buffer question
Best Regards,
Pisek B.
06-27-2018 08:27 AM
Hi Ameya,
In case of the a single Domian forest.let say we are going with agent based user-id deployment. there is a constraint of the number of user group that the Palo Alto FW's can parse right. I am assuming 640 user groups for 7.0 version and 10k for 8.0 version. what if we have user group count over 10k scenarios how can you do the user group mapping in such cases.
06-27-2018 08:40 AM
You have over 10k different user groups being services by a single firewall?
06-27-2018 09:29 AM
Keep in mind, the firewall does not monitor every group in the domain, only those it is configured to.
07-01-2018 11:20 AM
@JoeAndreini wrote:Keep in mind, the firewall does not monitor every group in the domain, only those it is configured to.
... if you restrict the monitored groups with an ldap filter or specify them one by one in the group mapping settings 😉
07-01-2018 03:02 PM
Yeah we do have a single AD forest. which has over 13k user groups. we are finding a optimum way to query the necessary groups instead of each and evry group. include list is not a feasible solution at this point. I am exploring ways to see how to achieve this.
07-01-2018 04:15 PM
In this case you need a good naming concept for AD groups, so you could specify a simple LDAP filter to import the required groups ... or a little more complex LDAP filter. But this is probably the only way
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!