Pan-agent settings over the WAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Pan-agent settings over the WAN

L2 Linker

We are having some issues with our remote sites as they browse the internet through the central site however they authenticate to Domain Controllers locally in the remote sites.

When we enter the remote site DC's in the pan-agent (which resides in the central site) the traffic generated by the agent when pulling the security event logs kills the 10Mbps WAN link.

Are there any recommended settings we can tweak which would minimize this traffic or is there a bandwidth limit we can set somewhere?

We are currently running pan-agent 3.1.2.

1 accepted solution

Accepted Solutions

L1 Bithead

Our solution was to install a pan-agent at each remote site.  The bandwidth required between pan-agent and the firewall is almost nothing compared to the bandwidth between pan-agent and the DC.  The reason is that pan-agent needs to constantly read all of the security event log entries on the DC, but only needs to provide the results (list of usernames and IPs) to the firewall.

View solution in original post

12 REPLIES 12

L1 Bithead

Our solution was to install a pan-agent at each remote site.  The bandwidth required between pan-agent and the firewall is almost nothing compared to the bandwidth between pan-agent and the DC.  The reason is that pan-agent needs to constantly read all of the security event log entries on the DC, but only needs to provide the results (list of usernames and IPs) to the firewall.

L6 Presenter

abelgard is correct and the agent will need to read all the events in the security log to detect the logon/logoff events.  As a example, if your DC is generating 100MB log/hour then the agent will retrieve 100MB per hour.  You can deploy an agent closer to the DC as suggested.  The agent can also read the security log of exchange server(s) and typically, exchange server(s) are centrally located.  If remote users are logging into your exchange server(s) and your exchange server(s) are centrally located, this is another option to consider.

Thanks.

Hi guys,

Thanks for the responses. Please correct me if I'm wrong but the PA only references one agent as the active agent for a domain.

So if it references an agent in the central site, which doesn't list all the DC's how does the agent at the remote site help in this situation?

Each PA can support up to 100 agents.  See this posting: 

It can support 100 agents but..

"only one agent per domain actually connects to the firewall at a time.

In other words, having multiple user-id agents connected to 1 firewall for 1 domain will only provide redunancy in case one of the agents goes down."

Does it mean that if our PA is connected to one pan-agent it will still recognise the users authenticating to a DC that is referenced on one of the backup agents?

Further down that post, there is a correction and you can have multiple agents connected at the same time.  You can have agent1 monitoring DC1 in the core, agent2 monitoring DC2 at remote site A, agent3 monitoring DC3 at remote site B, and so on.  Thanks.

"• Each UIA can connect to up to 100 Domain Controllers

• Each firewall can support up to 100 UIA’s

• Limit of 100 entries each in the Allow and Ignore list on the UIA"

In summary, it looks like we can have 100 agents connected.

Ok so this would require us to be running UIA 4.1.x. Does this also mean we need to be running PANOS 4.1.x? We are currently running 4.0.11.

It is supported for PAN-S 4.0 as well.  You don't have to upgrade to 4.1.  The UIA should be the same 4.x release train to match the 4.x of your PA devices.  Thanks.

There doesn't seem to be a 4.0.x UIA agent? It goes from 3.1.2 -> 4.1.0?

UIA.jpg

Please use the 3.1.2-AD agent as it is forward compatible.  Thanks.

Hi rmonvon, thanks for your help.

We are currently running PANOS 4.0.11 and UIA 3.1.2. I see all the pan-agents are connected and the primary one is only for retrieving group membership.

So the ip-user  mappings are still picked up from all pan-agents.

I've done some testing in our lab and it seems to work.

Thanks again for your help.

What about deploying it straight at each DC and in the configuration set it to only read security log from localhost?

This way the only traffic is the one between PA and each DC/Pan-agent server (which would be very little compared to when the security logs is being tailed over the network between pan-agent and each DC its set to monitor).

  • 1 accepted solution
  • 6435 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!