topic Re: UaService (PA User Agent) consuming 50% of bandwith capacity in General Topics

UaService (PA User Agent) consuming 50% of bandwith capacity

moorken — Tue, 13 Nov 2012 15:37:13 GMT

we have since a couple of weeks detected an issue with our network bandwith which looked to be caused by domain controllers. if we looked further into detail the domaincontrollers were replicating CIFS at a speed of approx 200kbs/400kbs (which is about 50% of our 2Mbit lines which we have between our plants). Notice that we have the next setup:

each of our factories is equiped with 2 stand-alone domain controllers + 1 virtual domain controller in our central datacenter (most plants have a 2Mbit connection to our central datacenter). and the PA user agent in our central datacenter looks to be constantly replicating data with the PA user agents (or DC's) in our remote plants.

if i take a closer look with Process Monitor, the UAService.exe is constantly "reading" data from \\<serverip>\PIPE\EVENTVIEWER which looks to cause the massive traffic on our network. at the moment between 30% and 50% of our total WAN network capacity looks to be "eaten" by the PA user agent.

is there anything we can change in the configuration to redruce this traffic? below you can see a part of the user agent XML file which contains the timeouts and session details:

<server-monitor security-log-enabled="1" security-log-interval="3" session-enabled="0" session-interval="10" edir-interval="30" />

<listening-port>5007</listening-port>

<xml-api enabled="0" xml-api-port="5006" />

<ip-cache enabled="1" />

Re: UaService (PA User Agent) consuming 50% of bandwith capacity

moorken — Wed, 14 Nov 2012 07:35:26 GMT

found a topic with the same issue: https://live.paloaltonetworks.com/message/15709

however i'm still wondering what the best setup in our case would be. Do we need to keep the PA user agents at the remote sites and disable one of the 2 agents, or will the best solution be to only keep the user agent in our central data center and let it communicate with the domaincontrollers in the remote site?

Re: UaService (PA User Agent) consuming 50% of bandwith capacity

mikand — Wed, 14 Nov 2012 08:54:44 GMT

Amount of bandwidth needed depends on how many clients you have, how active they are and how much bandwidth you can spare on your WAN.

The PAN-agent is tailing the security log of the DC's its configured to follow which with many users doing all sorts of thing in your network will be chatty.

So in your case if WAN is an issue you should install PAN-agent on a dedicated server sitting in the same switch as your remote DC, or even better - install the PAN-agent straight on the DC itself.

Then when you configure it you configure it to only tail the security log from localhost (the DC server PAN-agent is installed on) and as an optimization limit client ip's to the ranges which this DC will handle (depending on how your DC structure is setup - DC as in Domain Controller in this case).

For better hitrate you can configure PAN-agent to query clients using WMI (will use just slightly more bandwidth but should be far less than tailing security logs over the network).

Then in your PA you configure your PA to query each PAN-agent which should be far less traffic than before (because PA caches the results and the stuff the PAN-agent sends to PA is just user/ip mappings).

Re: UaService (PA User Agent) consuming 50% of bandwith capacity

licenselu — Wed, 14 Nov 2012 09:10:58 GMT

Hello,

You should probably start to increase the timer "security-log-interval" with a higher value. 30 seconds or more...

That's the interval PAN-agent is tailing the security log of the DC.

Regards,

Re: UaService (PA User Agent) consuming 50% of bandwith capacity

moorken — Wed, 14 Nov 2012 09:43:16 GMT

thanks both, we have switched off both the virtual DC and one of the 2 local DCs and this seems to have decreased the traffic in one direction by almost 100% and in the other direction by 75%! We have been thinking over reducing the security-log-internal already but weren't sure yet about how far we could go before this would result in issues.

Re: UaService (PA User Agent) consuming 50% of bandwith capacity

mikand — Wed, 14 Nov 2012 09:48:46 GMT

I dont think that should matter that much bandwidth wise.

Unless the PAN-agent copy the whole security log each time.

Hopefully it can use some kind of pointer regarding from which row or time it want to read the log which would give that either you download (as example) 1 megabyte each minute or 16.7 kbyte (1/60) each second (if we compare setting this value to read each 60 seconds vs each 1 second).