08-28-2015 11:53 PM - edited 08-28-2015 11:55 PM
Hi,
general recommendation is that for anything more than 1000 users in your network you should offload UserID service from the firewall to the agent installed on the server (do not use agentless for more than 1000 users). Way to offload your existing busy servers is to install separate a server that will be handling only UserID, or a few if one can't handle it gracefully.
Recommendation above is coming from Palo Alto Networks and is based on mp/dp resources, using agent rather than agentless is more graceful both on Windows and firewalls due to difference in how calls are made. It is just not written in manual because your mileage may vary depending on the firewall setup, you might be able to poll considerably more users in some corner cases. CPU will decrease with Agent on the Windows server as well, due to the nature of calls (RPC vs. WMI, as far as I can remember, but that needs to be checked to be sure, and CPU will decrease for sure).
Hope it helps a bit. Regards,
Luciano
