Cloud-delivered Firewall Management Center User Limit

A user is added to the Cloud-delivered Firewall Management Center user database when:

  • The user is downloaded from a realm.

  • A captive portal or RA-VPN user logs in.

  • A user is detected from any identity source (for example, TS Agent).

A Cloud-delivered Firewall Management Center can store a maximum of 600,0000 users in its host database but we recommend the following.

Number of devices managed by CDO

Recommended number of users

1-50

100,000

51-300

300,000

301-1000

600,000

Only authoritative users are available for user control with access control policies.

The Cloud-delivered Firewall Management Center can store 600,000 sessions in its user database.

When the system detects a new, previously-undetected user after the limit has been reached, it prioritizes user data based on their identity source:

  • If the new user is from a non-authoritative source, the system does not add the non-authoritative user to the database. To allow new users to be added, you must delete users manually or purge the database.

  • If the new user is from an authoritative identity source, the system deletes the non-authoritative user who has remained inactive for the longest period of and adds the new authoritative user to the database.

    If there are only authoritative users, the system deletes the authoritative user who has remained inactive for the longest period of time and adds the new user to the database.

Troubleshooting information can be found in Troubleshoot User Control.

Tip

Note that if you are using traffic-based detection, you can restrict user logging by protocol to help minimize username clutter and preserve space in the database. For example, you could prevent the system from adding users discovered in AIM, POP3, and IMAP traffic because you know it is traffic from specific contractors or visitors you do not want to monitor.