User Identification

cancel
Showing results for 
Search instead for 
Did you mean: 

User Identification

L0 Member

Hi all,

I'm just trying to wrap my head around the finer points of using the built-in user-id agent to query our AD logs instead of having a user-id agent on each DC.  I've got this working in our environment, but I'm having a few connect-server-monitor-failure events come through. n I still have the connect frequency set to the default 2 seconds, and I'm connecting to 10 DC's in various locations - local LAN, as well as 100mbps and 20mbps WAN links.  The connect failures are happening on quite a few of the DC's, but one a lot more than the others, so I figure that link may be getting congested more than the others.

So what I'm trying to confirm is the real world consequences of increasing the connect frequency time to a higher time - 5 seconds for example.  If I understand the way this works correctly, it will result in larger delta changes being transferred, over fewer periods, so the actual data transfer will net out to be the same.  I also take it that the PA will take an extra 3 seconds to know about a new user logging in - does the really having material consequences?  I'm thinking that by the time a user has logged in and waited for their PC to become usable, it would be longer than 5 seconds in most cases.  Even in the event of a re-authentication or an ipconfig /renew, they will only get somewhere they should be for 5 seconds before the PA knows their new IP address and can apply the correct policies.

So in a nutshell, I know we probably have some sort of network related problem to look into, but I'm more interested in understanding the the pros and cons for tweaking the connect frequency from a security point of view.  I'm also interested to know how other admins have this set up i.e. 2 seconds is the default, but does that often get increased in real world deployments?

Thanks,

Steve

1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

Hello

If you were to increase the delta to be 5 sec. you are correct in all the ways you have understood this.
The main concern will be that you may see a lot more "unknowns" on the firewalls (because there may be traffic to the firewall even before the user tries to send out traffic)

You may then see the firewall requesting mappings for these "unknowns" to all your DCs so the traffic from the firewall towards the DCs may increase in size and the firewall would then be sending these out to all the DCs so the overall problem of congestion may be exacerbated. However, there is no hard and fast line. If you increase the delta and see no "real" increase in the troubles you all are seeing right now, you could increment that to 3 or more seconds.

The PAN makes a list of "unknown IP addresses" and requests them in bulk to the DCs

Overall this may have consequences on the memory used by the Userid daemon and overall performance (management plane) may be affected.

View solution in original post

2 REPLIES 2

L4 Transporter

Hello

If you were to increase the delta to be 5 sec. you are correct in all the ways you have understood this.
The main concern will be that you may see a lot more "unknowns" on the firewalls (because there may be traffic to the firewall even before the user tries to send out traffic)

You may then see the firewall requesting mappings for these "unknowns" to all your DCs so the traffic from the firewall towards the DCs may increase in size and the firewall would then be sending these out to all the DCs so the overall problem of congestion may be exacerbated. However, there is no hard and fast line. If you increase the delta and see no "real" increase in the troubles you all are seeing right now, you could increment that to 3 or more seconds.

The PAN makes a list of "unknown IP addresses" and requests them in bulk to the DCs

Overall this may have consequences on the memory used by the Userid daemon and overall performance (management plane) may be affected.

View solution in original post

Great explanation - thanks.  It's really filled the knowledge gaps I still had after reading the official docs.  I forgot to mention the concern about the effect on the firewall resources overall, so thanks for pointing that out as well.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!