Scaling User-ID Deployment using the F5 Load Balancer

Showing results for 
Search instead for 
Did you mean: 

Scaling User-ID Deployment using the F5 Load Balancer

L1 Bithead



In a large-scale User-ID deployment in a dynamic network, customers deploy thousands of firewalls that they want to scale dynamically while ensuring that the firewalls can still get IP-User mappings from the Windows User-ID agent.


For this type of large-scale deployment, customers may run into following challenges:


  • They want to add new firewalls dynamically and the firewalls’ configuration is pushed from a Panorama Template, which means that they cannot change the configuration of the Windows User-ID agent as the new firewalls are added. However, User-ID agents can only support up to 512 firewalls so customers can’t connect all of their firewalls to a single Windows User-ID agent pair.
  • When the Windows User-ID agent hosts are taken offline for regular server maintenance, they do not want this activity to prevent identification of user traffic.


To address these challenges, customers can use an F5 load balancer between NGFWs and User-ID agents. This article will explain the architecture and the configuration required for this integration.





This example architecture has thousands of firewalls reading IP-User mappings via Windows User-ID agents from security events generated on multiple domain controllers. The firewalls don’t connect directly to Windows User-ID agents but through an F5 load balancer. All of the Windows User-ID agents are configured to connect to the same Windows Domain Controllers to ensure that all Windows User-ID agents have a complete list of IP-User mappings and also to ensure that the firewall gets the same mappings regardless of which Windows User-ID agent is sending them.



Step 1: Configure Windows User-ID agents to all connect to the same Windows Domain Controllers.



Step 2: Configure the F5 load balancer to connect to your Windows User-ID agents. 


Please refer to the F5 documentation to configure the F5 load balancer. We are only providing the necessary steps to connect the F5 load balancer to Windows User-ID agents.

  1. Configure a Monitor to periodically probe the Windows User-ID agents to see if they are active so that the F5 load balancer can fail over the connection when the agent becomes inactive.
    1. Select Local Traffic > Monitors and click Create.
    2. Enter a Name for the monitor.
    3. Select the Type as TCP.
    4. Set the Interval to how frequently you would like the F5 load balancer to check whether the agent is active. 
    5. Set the Timeout to the duration that you want the F5 load balancer to wait before determining the agent is inactive. When this time expires, the F5 load balancer will fail over the connections on the inactive agent to active agents.  F5 recommends this value to be three times the interval value, plus one. (i.e. interval/timeout ratio is 5/16)
    6. Click Finished.
  2. Create a Node for each Windows User-ID Agent in your environment.
    1. Select Local Traffic > Nodes and click Create.
    2. Enter a Name for the node.
    3. Enter the IP address of the Windows User-ID Agent.
    4. Set the Health Monitors to Node Specific.
    5. Select the Monitor that you created in Step 1.
    6. Set the Availability Requirement to All.
    7. Click Finished.
  3. Create a Pool for the Nodes created in the previous step so that F5 can monitor all the members of the pool.
    1. Select Local Traffic > Pools and click Create.
    2. Enter a Name for the pool.
    3. Select the Monitor that you created in the previous steps.
    4. Select your preferred Load Balancing Method. Least connections (member) is the recommended method for dynamic load balancing. 
    5. Select your preferred setting for Priority Group Activation. This number determines the minimum number of members that must be available in a higher priority group before the load balancer failovers to members in a lower priority group.
    6. Under New Members, select Node List, and Add each Node that you created in Step 1. Set the Service Port to 5007, the default User-ID Agent port.
    7. Click Finished.
    8. Select Local Traffic > Pools and select the link associated with the pool you just created under Members
    9. For each member of the pool, set the Ratio to 1, and the Priority Group to 1.
    10. Click Update.
  4. Create a Virtual Server object to be the front end of the F5 load balancer.
    1. Select Local Traffic > Virtual Servers and click Create. 
    2. Enter a Name for the Virtual Server object.
    3. Set the Type to Performance (Layer 4)
    4. (Optional) Set the Source Address to Firewalls address space to only allow Firewall to connect to the load balancer.
    5. Set the Destination Address to the IP address on which your Firewalls connect.
    6. Set the Service Port to 5007, the default User-ID Agent port.
    7. Set the Protocol to TCP.
    8. Set the Protocol Profile (Client) to fastL4.
    9. Click Finished.

Step 3: Configure the firewall to connect to the F5 load balancer as the User-ID agent.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!