topic Re: Pan-agent settings over the WAN in General Topics

Pan-agent settings over the WAN

rds — Mon, 06 Aug 2012 15:48:38 GMT

We are having some issues with our remote sites as they browse the internet through the central site however they authenticate to Domain Controllers locally in the remote sites.

When we enter the remote site DC's in the pan-agent (which resides in the central site) the traffic generated by the agent when pulling the security event logs kills the 10Mbps WAN link.

Are there any recommended settings we can tweak which would minimize this traffic or is there a bandwidth limit we can set somewhere?

We are currently running pan-agent 3.1.2.

Re: Pan-agent settings over the WAN

Retired Member — Mon, 06 Aug 2012 20:23:36 GMT

Our solution was to install a pan-agent at each remote site. The bandwidth required between pan-agent and the firewall is almost nothing compared to the bandwidth between pan-agent and the DC. The reason is that pan-agent needs to constantly read all of the security event log entries on the DC, but only needs to provide the results (list of usernames and IPs) to the firewall.

Re: Pan-agent settings over the WAN

rmonvon — Tue, 07 Aug 2012 04:09:25 GMT

abelgard is correct and the agent will need to read all the events in the security log to detect the logon/logoff events. As a example, if your DC is generating 100MB log/hour then the agent will retrieve 100MB per hour. You can deploy an agent closer to the DC as suggested. The agent can also read the security log of exchange server(s) and typically, exchange server(s) are centrally located. If remote users are logging into your exchange server(s) and your exchange server(s) are centrally located, this is another option to consider.

Thanks.

Re: Pan-agent settings over the WAN

rds — Tue, 07 Aug 2012 08:14:00 GMT

Hi guys,

Thanks for the responses. Please correct me if I'm wrong but the PA only references one agent as the active agent for a domain.

So if it references an agent in the central site, which doesn't list all the DC's how does the agent at the remote site help in this situation?

Re: Pan-agent settings over the WAN

rmonvon — Tue, 07 Aug 2012 14:32:28 GMT

Each PA can support up to 100 agents. See this posting:

Re: Pan-agent settings over the WAN

rds — Tue, 07 Aug 2012 16:19:56 GMT

It can support 100 agents but..

"only one agent per domain actually connects to the firewall at a time.

In other words, having multiple user-id agents connected to 1 firewall for 1 domain will only provide redunancy in case one of the agents goes down."

Does it mean that if our PA is connected to one pan-agent it will still recognise the users authenticating to a DC that is referenced on one of the backup agents?

Re: Pan-agent settings over the WAN

rmonvon — Tue, 07 Aug 2012 16:41:54 GMT

Further down that post, there is a correction and you can have multiple agents connected at the same time. You can have agent1 monitoring DC1 in the core, agent2 monitoring DC2 at remote site A, agent3 monitoring DC3 at remote site B, and so on. Thanks.

"• Each UIA can connect to up to 100 Domain Controllers

• Each firewall can support up to 100 UIA’s

• Limit of 100 entries each in the Allow and Ignore list on the UIA"

In summary, it looks like we can have 100 agents connected.

Re: Pan-agent settings over the WAN

rds — Wed, 08 Aug 2012 08:20:27 GMT

Ok so this would require us to be running UIA 4.1.x. Does this also mean we need to be running PANOS 4.1.x? We are currently running 4.0.11.

Re: Pan-agent settings over the WAN

rmonvon — Wed, 08 Aug 2012 18:21:46 GMT

It is supported for PAN-S 4.0 as well. You don't have to upgrade to 4.1. The UIA should be the same 4.x release train to match the 4.x of your PA devices. Thanks.

Re: Pan-agent settings over the WAN

rds — Thu, 09 Aug 2012 11:22:07 GMT

There doesn't seem to be a 4.0.x UIA agent? It goes from 3.1.2 -> 4.1.0?

Re: Pan-agent settings over the WAN

rmonvon — Thu, 09 Aug 2012 12:31:18 GMT

Please use the 3.1.2-AD agent as it is forward compatible. Thanks.

Re: Pan-agent settings over the WAN

rds — Thu, 09 Aug 2012 15:00:12 GMT

Hi rmonvon, thanks for your help.

We are currently running PANOS 4.0.11 and UIA 3.1.2. I see all the pan-agents are connected and the primary one is only for retrieving group membership.

So the ip-user mappings are still picked up from all pan-agents.

I've done some testing in our lab and it seems to work.

Thanks again for your help.

Re: Pan-agent settings over the WAN

mikand — Mon, 20 Aug 2012 22:21:31 GMT

What about deploying it straight at each DC and in the configuration set it to only read security log from localhost?

This way the only traffic is the one between PA and each DC/Pan-agent server (which would be very little compared to when the security logs is being tailed over the network between pan-agent and each DC its set to monitor).