Restart UserID will affect to the service?
cancel
Showing results for 
Search instead for 
Did you mean: 

Restart UserID will affect to the service?

L4 Transporter

Hi,

 

If i run these commands in FW will affcet to the service???

 

Please try restarting the User-ID 
>Debug software restart process user-id

>Debug user-id reset user-id-agent all

 

How log affect to the users? Should i ask for a window maintenance?

 

Thanks a lot.

8 REPLIES 8

L1 Bithead

Hey,

 

Restarting the user-id will cause the ip-user mappings to be lost.
If you are using usernames  in security policies to filter out traffic, they will not be matched for the period of the user-id service restart and then they will rebuild the ip-user mappings together with the group information.

If the usernames are used in security policies, it's best to run the commands during a scheduled maintenance window.

 

Thanx.

 

L7 Applicator

if the userID agents themselves are not restarted and have a full mapping the impact would be really short but there would be non-matched users for the period of time it takes for the service to restart, so it it best to do this during a down time or have a catch-all security policy in place to temporarily allow users to get through without mapping

 

if the userID agents themselves are restarted as well, or the mapping is done clientless, rebuilding the user database can take a much longer time as the agent/clientless will need to re-read the security logs on the Active Directory

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

They have 2 userid agents. How long the user would be affect?? until to restart the userid proccess?? 1-3 minutes?

that will depend on a few factors, like the platform, management plane resources, complexity/size of the configuration and enabled features etc

 

so safety wise it would be best to assume there could be a 5 minute break (in reality it will likely be only a few seconds, but murphy's law could interfere

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

@reaper Sure restarting the agents might cause the agents to lose the cache of the user record, but isn't it really a "non-issue" because the MP and DP of the firewalls that are attached to the respective UIAs should still have the records?

@Brandon_Wertz: well, yes and no ;) under ideal circumstances restarting the agent will not have an impact at all 

 

But: there's many types of deployments out there, some may have really short timeouts for user mappings , or a user may not have logged on just yet,... it's better to er on the side of precaution and be happy no interruption was noticed by the users (i have some interesting stories of my early days in TAC where i was "oh let's just restart this service real quick, it's not gonna do anything" and moments later i could hear alarms blaring in the background at the customer site ;) )

 

 

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

haha yeah good point.  Our enviornment I made sure we've got two agents for each site.  So we can be assured of a zero impact.

bonus FYI: the agent has it's own little cache that is reloaded after restart to repopulate it's tables. only if an agent is stopped more than 5 minutes will it start from scratch

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!