We have planned to implement user based policy in PA and we have roughly around 5k users across different locations with multiple controller as we have two options,
1. Dedicated windows based user-id agent
2. Palo alto Integrated user-id agent
among these two which one is best for production with 5K+ users and what is best practice for deploying the same
do you have DC's at each of these sites... there are various figures flying around but you need to consider what is at each location. if you have a palo at each location then use local agent to local DC. we have 8 DC's for 8 k user base and we just went for 1 server agent at each of our 2 major sites on dedicated windoze boxes and never had any issues. we do have 200 remote small sites but they all stream back to our major sites.
perhaps an overview of your setup would help....
this kinda keeps the busy end away from the palo's and the DC's
To not have much load on the firewalls the Dedicated windows based user-id agent is better than the integrated one.
Also you can use user redistribution so that the firewalls that are not infront of the users will get this data from the other edge firewalls if they can't directly connect to the windows agent. You can read this if interested:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!