Pan-agent settings over the WAN

Reply
rds
L2 Linker

Pan-agent settings over the WAN

We are having some issues with our remote sites as they browse the internet through the central site however they authenticate to Domain Controllers locally in the remote sites.

When we enter the remote site DC's in the pan-agent (which resides in the central site) the traffic generated by the agent when pulling the security event logs kills the 10Mbps WAN link.

Are there any recommended settings we can tweak which would minimize this traffic or is there a bandwidth limit we can set somewhere?

We are currently running pan-agent 3.1.2.

Highlighted
L1 Bithead

Re: Pan-agent settings over the WAN

Our solution was to install a pan-agent at each remote site.  The bandwidth required between pan-agent and the firewall is almost nothing compared to the bandwidth between pan-agent and the DC.  The reason is that pan-agent needs to constantly read all of the security event log entries on the DC, but only needs to provide the results (list of usernames and IPs) to the firewall.

L6 Presenter

Re: Pan-agent settings over the WAN

abelgard is correct and the agent will need to read all the events in the security log to detect the logon/logoff events.  As a example, if your DC is generating 100MB log/hour then the agent will retrieve 100MB per hour.  You can deploy an agent closer to the DC as suggested.  The agent can also read the security log of exchange server(s) and typically, exchange server(s) are centrally located.  If remote users are logging into your exchange server(s) and your exchange server(s) are centrally located, this is another option to consider.

Thanks.

rds
L2 Linker

Re: Pan-agent settings over the WAN

Hi guys,

Thanks for the responses. Please correct me if I'm wrong but the PA only references one agent as the active agent for a domain.

So if it references an agent in the central site, which doesn't list all the DC's how does the agent at the remote site help in this situation?

L6 Presenter

Re: Pan-agent settings over the WAN

Each PA can support up to 100 agents.  See this posting: 

rds
L2 Linker

Re: Pan-agent settings over the WAN

It can support 100 agents but..

"only one agent per domain actually connects to the firewall at a time.

In other words, having multiple user-id agents connected to 1 firewall for 1 domain will only provide redunancy in case one of the agents goes down."

Does it mean that if our PA is connected to one pan-agent it will still recognise the users authenticating to a DC that is referenced on one of the backup agents?

L6 Presenter

Re: Pan-agent settings over the WAN

Further down that post, there is a correction and you can have multiple agents connected at the same time.  You can have agent1 monitoring DC1 in the core, agent2 monitoring DC2 at remote site A, agent3 monitoring DC3 at remote site B, and so on.  Thanks.

"• Each UIA can connect to up to 100 Domain Controllers

• Each firewall can support up to 100 UIA’s

• Limit of 100 entries each in the Allow and Ignore list on the UIA"

In summary, it looks like we can have 100 agents connected.

rds
L2 Linker

Re: Pan-agent settings over the WAN

Ok so this would require us to be running UIA 4.1.x. Does this also mean we need to be running PANOS 4.1.x? We are currently running 4.0.11.

L6 Presenter

Re: Pan-agent settings over the WAN

It is supported for PAN-S 4.0 as well.  You don't have to upgrade to 4.1.  The UIA should be the same 4.x release train to match the 4.x of your PA devices.  Thanks.

rds
L2 Linker

Re: Pan-agent settings over the WAN

There doesn't seem to be a 4.0.x UIA agent? It goes from 3.1.2 -> 4.1.0?

UIA.jpg

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!