The following table includes limitations associated with the PAN-OS 7.1 release.
If the firewall collects IP address-to-username mappings by monitoring numerous servers at short intervals (
Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Server Monitor > Server Log Monitor Frequency) in networks with high user log-in rates, the best practice is to deploy Windows-based User-ID agents instead of the PAN-OS integrated User-ID agent. Using Windows-based User-ID agents avoids the risk of the firewall running out of memory while querying the servers.
Configure Firewalls to Redistribute User Mapping Information Every firewall that enforces user-based policy requires user mapping information. However, a large-scale network where numerous firewalls directly ...