Details
While both the “agentless” and the stand-alone User-ID Agent processes perform the same basic tasks, they use different underlying protocols. This difference makes each one more appropriate for different environments.
The software User-ID Agent uses MS RPC to query the Domain Controller and Exchange Server logs. This method requires the full log to be transferred to the agent where it is then filtered for the required events. The hardware integrated,"agentless", the process uses the WMIC library and only transfers the required log events to the agent process.
As a result, the hardware agent is appropriate for reading remote Domain controllers where the software agent is appropriate for reading local Domain Controllers. The drawbacks to agentless User-ID are the following:
- The Agentless User-ID process can be resource-intensive to the management plane (MP). Significant User-ID activity can impact other MP features, such as, reporting, logging, authentication, and dynamic routing.
- There is no way to increase the resources for the hardware agent as the User-ID environment grows.
- The WMI polling can have a significant impact on the target Domain Controllers resources. This is mostly noticeable on 32 bit low RAM servers.
This technique can allow a significant reduction in the total number of agents required, by allowing the agent process to sit in a central location rather than in multiple remote sites.
The performance of the hardware agent is determined by the firewall model performing the service. The following table shows a rough estimate for the preferred maximum number for each platform. If there are other features running (for example, heavy logging\reporting or log forwarding) that require significant management resources, the number of DCs should be reduced.
Platform | Number of DCs Supported |
---|
PA-4000 Series, PA-2000 Series, PA-500 | 10 |
PA-200 | 25 |
PA-3000, PA-5000, PA-3200, PA-5200 and PA-7k Series | 100 |
Use of the hardware agent is suggested for the following scenarios:
- Highly distributed, low-density Domain Controllers
- Multiple high latency / low bandwidth / heavily subscribed links
- User ID and multiple VSYS
Note: The information above states the need to reduce the number of connected DCs if the MP is going to be over-utilized. Review the document referenced below for further details.
The following factors should be taken into account when deciding to use agents and/or reduce the # of DCs agentless User-ID is monitoring:
- How many active users are in the environment?
- The logging rate for the DCs being monitored for event IDs in question
- The polling frequency
- Geographic\Network location of the DCs being monitored
- Network ranges of interest
- Will client probing be used or not?
All of these factors can have a big impact on MP performance. Depending on the environment, 100 DCs for one customer can be fine as to where the same amount for another customer can be too much.