Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
0
Helpful
1
Replies

Identity Provider to FMC - Scaling Question

Go to solution
mulatif
Cisco Employee
Cisco Employee

‎03-07-2018 07:25 PM

Hi,

I have a Firepower customer looking for identity integration within Firepower management center. We have been exploring the identity integration with pxGrid but the scale is bringing up questions on deployment options.

  1. The customer has around 250(!) domain controllers, which means around 25 AD-Agents. Do we have any examples on this scale ?
  2. Would another option like SPAN or Logs might be a better approach ?
    1. There is an existing Qradar deployment with WMI integration to AD. Can that data be utilized by pxGrid and then fed into FMC ? Just checking, if this has been seen at any other customer.

Open to other ideas..

Naman

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎03-07-2018 08:46 PM

Max limit per ISE / ISE-PIC instance is 100 DCs today.  If require monitoring of more DCs, then deploy multiple ISE/PIC instances.  See ISE Performance & Scale

Remember, it is only needed to get identity for DCs that authenticate users and where need to apply policy based on the users logging into that DC.  Although not officially QA tested, we have tested internally the use of log event forwarding which could be used to forward logs from multiple DCs to a single DC for collection.

If the Qradar deployment generates logs for each event, then Syslog could be used to parse user/IP mappings.

Craig

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Craig Hyps
Level 10
Level 10

‎03-07-2018 08:46 PM

Max limit per ISE / ISE-PIC instance is 100 DCs today.  If require monitoring of more DCs, then deploy multiple ISE/PIC instances.  See ISE Performance & Scale

Remember, it is only needed to get identity for DCs that authenticate users and where need to apply policy based on the users logging into that DC.  Although not officially QA tested, we have tested internally the use of log event forwarding which could be used to forward logs from multiple DCs to a single DC for collection.

If the Qradar deployment generates logs for each event, then Syslog could be used to parse user/IP mappings.

Craig

0 Helpful
Customers Also Viewed These Support Documents