Agentless User-ID Preferred Number of Connected DCs

Agentless User-ID Preferred Number of Connected DCs

Created On 09/26/18 13:48 PM - Last Modified 03/06/21 00:31 AM


  • PAN-OS 8.1 and above.
  • Agentless User-ID configured.



While both the “agentless” and the stand-alone User-ID Agent processes perform the same basic tasks, they use different underlying protocols. This difference makes each one more appropriate for different environments.


The software User-ID Agent uses MS RPC to query the Domain Controller and Exchange Server logs. This method requires the full log to be transferred to the agent where it is then filtered for the required events. The hardware integrated,"agentless", the process uses the WMIC library and only transfers the required log events to the agent process.


As a result, the hardware agent is appropriate for reading remote Domain controllers where the software agent is appropriate for reading local Domain Controllers. The drawbacks to agentless User-ID are the following:

  1. The Agentless User-ID process can be resource-intensive to the management plane (MP). Significant User-ID activity can impact other MP features, such as, reporting, logging, authentication, and dynamic routing.
  2. There is no way to increase the resources for the hardware agent as the User-ID environment grows.
  3. The WMI polling can have a significant impact on the target Domain Controllers resources. This is mostly noticeable on 32 bit low RAM servers.

This technique can allow a significant reduction in the total number of agents required, by allowing the agent process to sit in a central location rather than in multiple remote sites.


The performance of the hardware agent is determined by the firewall model performing the service. The following table shows a rough estimate for the preferred maximum number for each platform. If there are other features running (for example, heavy logging\reporting or log forwarding) that require significant management resources, the number of DCs should be reduced.

PlatformNumber of DCs Supported
PA-4000 Series, PA-2000 Series, PA-50010
PA-3000, PA-5000, PA-3200, PA-5200 and PA-7k Series100


Use of the hardware agent is suggested for the following scenarios:

  • Highly distributed, low-density Domain Controllers
  • Multiple high latency / low bandwidth / heavily subscribed links
  • User ID and multiple VSYS

Note: The information above states the need to reduce the number of connected DCs if the MP is going to be over-utilized. Review the document referenced below for further details.


The following factors should be taken into account when deciding to use agents and/or reduce the # of DCs agentless User-ID is monitoring:

  • How many active users are in the environment?
  • The logging rate for the DCs being monitored for event IDs in question
  • The polling frequency
  • Geographic\Network location of the DCs being monitored
  • Network ranges of interest
  • Will client probing be used or not?


All of these factors can have a big impact on MP performance. Depending on the environment, 100 DCs for one customer can be fine as to where the same amount for another customer can be too much.




Additional Information

Which User-ID agent should I use?
  • Use agentless (PAN-OS)
If you have a small to medium deployment with 10 or fewer Domain controllers or Exchange servers
If you wish to share PAN-OS sourced mappings from AD, Captive portal or Global Protect with other PA devices (max 255 devices)
  • Use User-ID Agent (Windows)
If you have medium to large deployment with more than 10 domain controllers
If you have multi-domain setup with large number of servers to monitor

Note: Can have a combination of the two in a deployment

  • Print
  • Copy Link

Choose Language