topic User-ID-Agent Traffic in General Topics

User-ID-Agent Traffic

rrau — Mon, 24 Sep 2012 16:29:28 GMT

We have user-id-agents on ou core DC's and all our local DC's (across the WAN). We receive reports with high SMB traffic polling from the core DC -> local DC. Anyway to eliminate or reduce?

Re: User-ID-Agent Traffic

UhMayYeah — Tue, 25 Sep 2012 03:21:21 GMT

Check the following settings on the User-ID Agents.

Enable WMI and Disable netbios lookups (Recommended) .

File>Debug : Set the Debug level to None (Debugging could be set if needed).

Ref :https://live.paloaltonetworks.com/message/15354#15354

-Ameya

Re: User-ID-Agent Traffic

rrau — Tue, 13 Nov 2012 15:51:04 GMT

Hello Ameya, I have applied the recommended settings with no change in the high traffic reports. Anything else that could be affecting this?

Re: User-ID-Agent Traffic

shasnain — Tue, 13 Nov 2012 16:28:48 GMT

Hi,

Please make sure customer local agent is only doing a user to ip mapping for its local DC subnet. It should not be doing a mapping of the remote DC subnet.

So if your agent is reading secuirty logs from one DC only and you have muliple agents reading secuity logs from multiple DC, then you configure those agent on the pan and the PAN would read the user to ip mapping from all the agents.

Please do keep in mind that Communication between the DC and the Agent over the WAN is a bit chatty. Thats why make sure local agent only doing user to ip mapping for its local DC subnet and not be doing a mapping of the remote DC subnet.

Thanks,

Syed Hasnain

Re: User-ID-Agent Traffic

rrau — Tue, 13 Nov 2012 21:12:14 GMT

where is this setting? we only have user-id agent on the core DC's

Re: User-ID-Agent Traffic

rrau — Wed, 21 Nov 2012 14:18:07 GMT

Syed, could you please tell me where I would apply that setting?

Re: User-ID-Agent Traffic

mikand — Thu, 22 Nov 2012 09:34:43 GMT

How does your settings look like?

If you run pan-agent directly on the Domain Controller servers I think you can set 127.0.0.1 as Domain Controller Address.

Then you limit in Allow List (and if needed in Ignore List aswell) which ip ranges your clients uses.

So if this particular DC only handles for example 10.0.1.0/24 then add this as Allow List.

One tricky part if your AD is distributed (regarding allow/ignore list) is if the local DC's dont answer to the client request any other DC can verify and log the ip<->user in its security log.

This gives if you have a 1:1 relation between PAN-agent and DC server (either dedicated machine or runned directly on the DC server) you will have less chat on the network (and if segmented (the local DC's refuse to answer login attempts from remote user of another site) the WMI chat straight to the clients will be less over WAN aswell).