This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

connect-server-monitor-failure

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

connect-server-monitor-failure

MikeC
L3 Networker

‎01-09-2019 05:41 PM

Has anyone experienced numerous of these "connect-server-monitor-failure" alerts when using agentless user ID?

 

I have 20+ firewalls using a few specific domain controllers to get user ID info, but these alerts are constantly, 100's an hour.

 

It seems to be related to WMI memory error, but I've already increased the wmi memory, described in this article

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltXCAS

 

DCs are Win2k8 R2

 

0 Likes Likes
7 REPLIES 7

reaper
Cyber Elite
Cyber Elite

‎01-10-2019 05:42 AM

If you have so many firewalls polling only a handful AD servers, it's probably better to install agents on the AD (or one or more servers near the AD) and have the firewalls poll the agents instead, this will dramatically cut down on all the WMI probes you'll need to do

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

MikeC
L3 Networker
In response to reaper

‎01-10-2019 08:40 AM

I agree, but I don't find 20 firewalls to be a lot.  Is this too much for agentless user-ID?

 

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to MikeC

‎01-10-2019 09:14 AM

You'd need to investigate logs on your ADs to make sure but it sounds like some of the WMI arentimjngnout which could be a sign that the AD are not keeping up with the amount of requests coming from the firewalls

If the volume is unusually high you could also look into why this is: maybe a zone that does not have mapped IPs does have user-id enabled which will trigger a query for each unidentified IP (user-id only needs to be enabled on the 'source' zone of the identified users)
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

MikeC
L3 Networker
In response to reaper

‎01-10-2019 09:45 AM

@reaper wrote:
You'd need to investigate logs on your ADs to make sure but it sounds like some of the WMI arentimjngnout which could be a sign that the AD are not keeping up with the amount of requests coming from the firewalls

If the volume is unusually high you could also look into why this is: maybe a zone that does not have mapped IPs does have user-id enabled which will trigger a query for each unidentified IP (user-id only needs to be enabled on the 'source' zone of the identified users)

 

I think you may be on to something here, even though I keep being told no.  There is only 1 Trust zone on most of the firewalls, but there a few subnets where a user will never map. I think it can benefit from those subnets being excluded

reaper
Cyber Elite
Cyber Elite
In response to MikeC

‎01-10-2019 11:05 AM

That sounds like the perfect place to start!
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

codyweber54
L0 Member
In response to MikeC

‎08-05-2019 11:37 AM

I know this is a fairly old thread but curious if your investigation turned up any findings with regard to this zone enablement issue? We're having a similar issue and looking for solutions.

0 Likes Likes

MikeC
L3 Networker
In response to codyweber54

‎08-05-2019 11:43 AM

@codyweber54 I decided to use the Windows User-ID agent instead.  No more issues, since switching to that

0 Likes Likes
  • 12149 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks