Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Error message in System logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Error message in System logs

L4 Transporter
We have a PA that is displaying this message every 60 seconds for some reason.
 
"highopaque: DO NOT CHOOSE WMI in ADGMEL03 FOR YOUR USE CASE IF SEE THIS LOG AGAIN"
 
What is it indicating and how to turn it off?
1 accepted solution

Accepted Solutions

Here is the reply from support. What I understand is engineering will change the severity of the error (It is currently high). Not a fix in my eyes, just makes the message disappear. We'll see what reply comes back.

 

"Making some research I found the same issue on a different case:

The feedback received from engineering was that when this log appears, it indicates wmic takes much time on receiving security logs from windows server most likely due to the low throughput.

Engineering are working on code change to reduce the severity of this alert and make it more clear for user as this is a common log which should not affect production.

This issue will be fixed on 9.0.12, 9.1.6. Both PAN-OS versions are expected by the end of Dec 2020 however this ETA is tentative and can change duo to QA testing and verification factors."

 

My reply back to the engineer was "Thanks I understand you saying “it indicates wmic takes much time on receiving security logs from windows server most likely due to the low throughput” but all 6 servers are on the same subnet. Shouldn’t I be seeing this message about all 6 servers if it was a low throughput issue?"

 

 

View solution in original post

7 REPLIES 7

L1 Bithead

I have a 5250 that yesterday was upgraded from 9.0.3-h3 to 9.0.9-h1. Right after the upgrade I started getting the same messages. Multiple times a minute. Out of curiosity, did you upgrade your code recently? I will be opening a case with support today.

 

DO NOT CHOOSE WMI in (server name) FOR YOUR USE CASE IF SEE THIS LOG AGAIN IN 60 SECONDS

Good Morning.

 

Are you doing anything with UserID within your environment.

 

Can you look at the UserID agent (local on FW, or on a Windows server) and find the tab called Probing.

Ensure that there is NO probing enabled for either UserID agent.

 

I think this could be the issue (I do not have the issue, just trying to offer how to perhaps disable it)

Help the community: Like helpful comments and mark solutions

Here is a screen shot of the USER-ID Agent Setup on the FW. Probing is not enabled. These settings are the same after the upgrade as they were before the upgrade. No errors before the upgrade. I also have individual servers listed in the server monitoring section. I have 6 servers listed but only 4 of them are included in the errors I see. Not sure that screen shot is useful with by blackouts but I did include it.

 

User-ID Agent.png

Server Monitoring.png

Here is the reply from support. What I understand is engineering will change the severity of the error (It is currently high). Not a fix in my eyes, just makes the message disappear. We'll see what reply comes back.

 

"Making some research I found the same issue on a different case:

The feedback received from engineering was that when this log appears, it indicates wmic takes much time on receiving security logs from windows server most likely due to the low throughput.

Engineering are working on code change to reduce the severity of this alert and make it more clear for user as this is a common log which should not affect production.

This issue will be fixed on 9.0.12, 9.1.6. Both PAN-OS versions are expected by the end of Dec 2020 however this ETA is tentative and can change duo to QA testing and verification factors."

 

My reply back to the engineer was "Thanks I understand you saying “it indicates wmic takes much time on receiving security logs from windows server most likely due to the low throughput” but all 6 servers are on the same subnet. Shouldn’t I be seeing this message about all 6 servers if it was a low throughput issue?"

 

 

@David_Mcmasters 

 

Thanks for updating us what PA says.

 

MP

Help the community: Like helpful comments and mark solutions.

The last response I got is below. Nothing can be done until the fix in 9.0.12 which is slated for December 2020. Hope this information is useful.

 

"You right and that is an excellent question.

If engineering is saying that that there is a delay receiving security logs from the windows server when using wmi as transport protocol, I am only seeing the option that those other 2 AD's are not having that delay. In case there is no impact in user based policy you can safely ignored this alert and wait for the fix version on which this alert will be different. I understand the confusion here since the alert is not clear at all, but the background is pretty much that delay of receiving security logs from the Windows Server when using wmi as the transport protocol. Feel free to asked me any other question, it will be a pleasure."

@David_Mcmasters 

 

Thank you so much!

This helped a lot. We have removed polling to the host which stopped the alerts.

  • 1 accepted solution
  • 7225 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!