User limits for microsoft active directory

User limits impact monitoring and login capacity in Secure Firewall Management Center and Secure Firewall Threat Defense models for Microsoft Active Directory realms. These limits include maximum downloaded users and concurrent session limits. User prioritization, session management, and troubleshooting information help manage user database constraints.

About user limits

Your Cloud-Delivered Firewall Management Center model determines how many individual users you can monitor. The user is added to the Cloud-Delivered Firewall Management Center user database when:

  • The user is downloaded from a realm.

  • A captive portal or RA-VPN user logs in.

  • A user is detected from any identity source (for example, TS Agent).

Only authoritative users are available for user control with access control policies.

Note the following:

  • The maximum number of downloaded users depends on your Cloud-Delivered Firewall Management Center model.

  • The maximum number of concurrent user sessions (that is, logins) depends on your managed device model. A single user can have multiple sessions from different unique IP addresses.

    Note

    The system downloads all user sessions to all Firewall Threat Defense devices. If you have devices with different user concurrent user session limits, the Firewall Threat Defense with the smallest limit reports health warnings when its memory reaches the configured limit. (For example, if your Cloud-Delivered Firewall Management Center manages a Firepower 2110 and a 4125, the 2110 reports health warnings when the number of concurrent user sessions approaches its maximum of 64,000.)

User limits for microsoft active directory

Maximum Concurrent User Login Limits by Firewall Threat Defense

Firewall Threat Defense Model

Maximum Concurrent User Logins per Realm

Firewall Threat Defense Virtual 5, 10, 20, 30, 50 (any supported hypervisor)

64,000

Secure Firewall 220

10,000 (see note)

Firepower 1010, 1120, 1140, 1150

Secure Firewall 1210, 1220, 1230, 1240, 1250

Firepower 2110, 2120, 2130

Secure Firewall 3105, 3110, 3120

64,000

Firepower 2140

Secure Firewall 3130, 3140

Firepower 4112, 4115, 4125

150,000

Firepower 4145

Firepower 9300

300,000

Secure Firewall 4215

300,000

Secure Firewall 4225, 4245, 4250

315,000

Secure Firewall 6160, 6170

315,000
Note

The Secure Firewall 200 series can download a cumulative total of 10,000 user IPs, SXP/SGT mappings, endpoint profiles, and dynamic objects. After a total of 10,000 have been downloaded, the Secure Firewall 200 stops downloading any objects until some previously downloaded objects have been removed. (For example, if users log out, the memory is free for other objects.)

User limits are applied per Microsoft Active Directory realm. That is, if you attempt to download more than the maximum users in a single realm, the download stops after that many users and a health alert is displayed. If, however, you attempt to download more than the maximum number of users spread across different realms, the download succeeds (unless any one realm has more than 150,000 users, in which case the download fails for that realm).

Maximum Downloaded Users by Cloud-Delivered Firewall Management Center Model

Cloud-Delivered Firewall Management Center Model

Maximum Downloaded Users

Firewall Management Center Virtual (any supported hypervisor)

50,000

Firewall Management Center Virtual 300 (any supported hypervisor)

150,000

Cloud-Delivered Firewall Management Center

600,000

When the system detects a new, previously-undetected user after the limit has been reached, it prioritizes user data based on their identity source:

  • If the new user is from a non-authoritative source, the system does not add the non-authoritative user to the database. To allow new users to be added, you must delete users manually or purge the database.

  • If the new user is from an authoritative identity source, the system deletes the non-authoritative user who has remained inactive for the longest period and adds the new authoritative user to the database.

    If there are only authoritative users, the system deletes the authoritative user who has remained inactive for the longest period of time and adds the new user to the database.

Troubleshooting information can be found in Troubleshoot user control.

Tip

Note that if you are using traffic-based detection, you can restrict user logging by protocol to help minimize username clutter and preserve space in the database. For example, you could prevent the system from adding users discovered in AIM, POP3, and IMAP traffic because you know it is traffic from specific contractors or visitors you do not want to monitor.