02-03-2011 01:40 PM
In your Pan Agent 2.1 documentation you did an excellent job of documenting User Identification from start to finish. I have yet to see one document such as this for 3.1.
Please reference page 7 of the Pan Agent 2.1 document and confirm or correct what the current User Identification capacity is.
Please consider updating the Pan Agent 2.1 document to make it relevant.
Thanks
02-03-2011 08:29 PM
Hi Datadink,
I know your post was more of a request, rather than a question, but I thought it might be relevant to actually have the document you're speaking of attached. I agree with you, the 2.1 tech note is excellent, and while an update to this doc is probably due from the Palo Alto Networks technical marketing team, the document is in large part still true to the way things operate with 3.1 and very relevant. For example capacities in 3.1 are still 64,000 active users, and 640 active and unique groups used in a policy for each vsys. Anyway, I'm attaching the doc for the greater benefit of the KP community.
Hope this helps!
Santiago
02-04-2011 06:54 AM
Thanks for your response.
Could you provide additional information pertaining to the UIA domain capacity and NTLM handshakes at a time as shown in attached. Is this still accurate?
Also can you confirm for me that in order to do Captive Portal with NTLM that the UIA is still necessary as show in attached.
Thanks
02-04-2011 06:58 AM
Please do pass along to Technical Marketing that the lack of up to date technical documentation has cause a bit of turmoil in our org. 3.x has been out for quite a while now it's should be to difficult to make the document current.
Thanks
02-04-2011 08:27 AM
On Captive Portal with NTLM, yes, UIA is still necessary. Authentication method is client browser <=> appliance web authentication page <=> User ID Agent <=> Domain Controller.
On UIA domain capacity, the default maximum number of domain controllers is 10, but this is configurable to maximum of 100. You can modify this in the User ID Agent config file. Look for the "config.xml" file located in the directory where you installed the UserID agent (defaults to C:\Program Files\Palo Alto Networks\PanAgent), and the value you want to look at is called <max-dc>.
As far as the number of simultaneous NTLM handshakes, I don't know the answer to this right, now, but maybe someone else on the forum does? In any case I'll look into it and let you know what I find!
02-04-2011 12:17 PM
Agreed. We will get the document updated.
02-25-2013 02:34 AM
Hi,
Any document update for PAN OS 5 ?
02-27-2013 04:37 PM
A very simple way of identifying this information can be found directly from your device.
Just type in:
> show system state
So, for example, to identify the maximum number of concurrent users, look for cfg.agent.max-entries. Based upon my research into across various different models, I believe it is 64,000 for all models now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
