We do have a cache and it has a limit. All excess entries are stored in the text file. If you are a large company with sites in different geographic locations, there is no need to download all groups and all users. For best performance you should identify the groups or IP subnets that need to get identified per site. Will users on the east coast be passing traffic throogh firewalls on the west coast? If not this allows you to reduce the number of users and IPs that an agent needs to track. One requirement is that you will need one agent per domain. This is a requirement. But you can also do an agent per site if this makes sense. If you create firewalls that are heavily dependent on user-id, you may want to consider running a second agent for redundancy. If the agent were to fail for some reason, the firewall caches user-id information for one hour. If the agent has not reconnected in that time, all users become "unknown" and will drop through the rule base to something that has no user-id requirement. SKrall
... View more