Error message in System logs

Reply
Highlighted
L4 Transporter

Error message in System logs

We have a PA that is displaying this message every 60 seconds for some reason.
 
"highopaque: DO NOT CHOOSE WMI in ADGMEL03 FOR YOUR USE CASE IF SEE THIS LOG AGAIN"
 
What is it indicating and how to turn it off?

Accepted Solutions
Highlighted
L1 Bithead

Here is the reply from support. What I understand is engineering will change the severity of the error (It is currently high). Not a fix in my eyes, just makes the message disappear. We'll see what reply comes back.

 

"Making some research I found the same issue on a different case:

The feedback received from engineering was that when this log appears, it indicates wmic takes much time on receiving security logs from windows server most likely due to the low throughput.

Engineering are working on code change to reduce the severity of this alert and make it more clear for user as this is a common log which should not affect production.

This issue will be fixed on 9.0.12, 9.1.6. Both PAN-OS versions are expected by the end of Dec 2020 however this ETA is tentative and can change duo to QA testing and verification factors."

 

My reply back to the engineer was "Thanks I understand you saying “it indicates wmic takes much time on receiving security logs from windows server most likely due to the low throughput” but all 6 servers are on the same subnet. Shouldn’t I be seeing this message about all 6 servers if it was a low throughput issue?"

 

 

View solution in original post


All Replies
L1 Bithead

I have a 5250 that yesterday was upgraded from 9.0.3-h3 to 9.0.9-h1. Right after the upgrade I started getting the same messages. Multiple times a minute. Out of curiosity, did you upgrade your code recently? I will be opening a case with support today.

 

DO NOT CHOOSE WMI in (server name) FOR YOUR USE CASE IF SEE THIS LOG AGAIN IN 60 SECONDS

Highlighted
Cyber Elite

Good Morning.

 

Are you doing anything with UserID within your environment.

 

Can you look at the UserID agent (local on FW, or on a Windows server) and find the tab called Probing.

Ensure that there is NO probing enabled for either UserID agent.

 

I think this could be the issue (I do not have the issue, just trying to offer how to perhaps disable it)

Help the community: Like helpful comments and mark solutions
Highlighted
L1 Bithead

Here is a screen shot of the USER-ID Agent Setup on the FW. Probing is not enabled. These settings are the same after the upgrade as they were before the upgrade. No errors before the upgrade. I also have individual servers listed in the server monitoring section. I have 6 servers listed but only 4 of them are included in the errors I see. Not sure that screen shot is useful with by blackouts but I did include it.

 

User-ID Agent.png

Server Monitoring.png

Highlighted
L1 Bithead

Here is the reply from support. What I understand is engineering will change the severity of the error (It is currently high). Not a fix in my eyes, just makes the message disappear. We'll see what reply comes back.

 

"Making some research I found the same issue on a different case:

The feedback received from engineering was that when this log appears, it indicates wmic takes much time on receiving security logs from windows server most likely due to the low throughput.

Engineering are working on code change to reduce the severity of this alert and make it more clear for user as this is a common log which should not affect production.

This issue will be fixed on 9.0.12, 9.1.6. Both PAN-OS versions are expected by the end of Dec 2020 however this ETA is tentative and can change duo to QA testing and verification factors."

 

My reply back to the engineer was "Thanks I understand you saying “it indicates wmic takes much time on receiving security logs from windows server most likely due to the low throughput” but all 6 servers are on the same subnet. Shouldn’t I be seeing this message about all 6 servers if it was a low throughput issue?"

 

 

View solution in original post

Highlighted
Cyber Elite

@David_Mcmasters 

 

Thanks for updating us what PA says.

 

MP
Highlighted
L1 Bithead

The last response I got is below. Nothing can be done until the fix in 9.0.12 which is slated for December 2020. Hope this information is useful.

 

"You right and that is an excellent question.

If engineering is saying that that there is a delay receiving security logs from the windows server when using wmi as transport protocol, I am only seeing the option that those other 2 AD's are not having that delay. In case there is no impact in user based policy you can safely ignored this alert and wait for the fix version on which this alert will be different. I understand the confusion here since the alert is not clear at all, but the background is pretty much that delay of receiving security logs from the Windows Server when using wmi as the transport protocol. Feel free to asked me any other question, it will be a pleasure."

Highlighted
L4 Transporter

@David_Mcmasters 

 

Thank you so much!

This helped a lot. We have removed polling to the host which stopped the alerts.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!