What is the maximum number of Domain controller allowed to bind with PaloAlto Firewall

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

What is the maximum number of Domain controller allowed to bind with PaloAlto Firewall

Hi Folks,

      I have this customer, who doesnt have centralsed AD and has 40 domain controller sitting across the network. to provide the zscaler solution, customer wants user-based traffic forwarding, but unfortunately he has pretty much close to 40 domain controller he says. which i came to know after adding his two domain controllers from his head office.. Am wondering, if firewall has any limitation, by the number of domain controller i can add and also if it will create some load issue on management plane or data plane.


another solution, am looking into is to go kerberose SSO with Captive portal. Firewalls average CPU usage on data plane is above 50%, will this be any impact on that as well.  





Cyber Elite
Cyber Elite


Do you have all of the traffic tunneling back to the head office or does the traffic stay local for the most part; essentially do you actually need the firewalls to know about everyone? Essentially what you wouldn't want to do is actually allow a single firewall to query all 40 sites.


What I would personally do, depending on how this infra is actually setup, is have the local firewalls query the local domain controllers for any of the sites. What you can do, if needed, is then configure redistribution within user-id to feed this information back to the head office as needed. 


When you start talking about this many directories we generally want to be having a much more informed conversation about what the actual deployment is going to look like. Each platform has its own limits on the number of user groups and agents that can be active at any time and you'll want to ensure that the devices being selected can handle the number of groups you'll actually be throwing at it; but again this depends heavily on a lot of factors. 

Thanks Mate, Sorry for not checking this platform for so long.


It was too much a headache, I could ask him to use a windows machine and poll all the AD's users to it and we use User-id agent installed in it and then pull the users. But unfortunately even that wouldnt work for him in his situation, as in his environment they use terminal server with the same IP addredd used by multiple users, in that pool while one user is allowed to access internet others are not.

In the end, he agreed to use ZAPP agent on the machine and not use firewall to forward the traffic to Zsclaer could through tunnel.

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!