Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-13-2020 10:25 PM
07-14-2020 08:21 AM
Here is the reply from support. What I understand is engineering will change the severity of the error (It is currently high). Not a fix in my eyes, just makes the message disappear. We'll see what reply comes back.
"Making some research I found the same issue on a different case:
The feedback received from engineering was that when this log appears, it indicates wmic takes much time on receiving security logs from windows server most likely due to the low throughput.
Engineering are working on code change to reduce the severity of this alert and make it more clear for user as this is a common log which should not affect production.
This issue will be fixed on 9.0.12, 9.1.6. Both PAN-OS versions are expected by the end of Dec 2020 however this ETA is tentative and can change duo to QA testing and verification factors."
My reply back to the engineer was "Thanks I understand you saying “it indicates wmic takes much time on receiving security logs from windows server most likely due to the low throughput” but all 6 servers are on the same subnet. Shouldn’t I be seeing this message about all 6 servers if it was a low throughput issue?"
07-14-2020 05:50 AM - edited 07-14-2020 05:51 AM
I have a 5250 that yesterday was upgraded from 9.0.3-h3 to 9.0.9-h1. Right after the upgrade I started getting the same messages. Multiple times a minute. Out of curiosity, did you upgrade your code recently? I will be opening a case with support today.
DO NOT CHOOSE WMI in (server name) FOR YOUR USE CASE IF SEE THIS LOG AGAIN IN 60 SECONDS
07-14-2020 06:51 AM
Good Morning.
Are you doing anything with UserID within your environment.
Can you look at the UserID agent (local on FW, or on a Windows server) and find the tab called Probing.
Ensure that there is NO probing enabled for either UserID agent.
I think this could be the issue (I do not have the issue, just trying to offer how to perhaps disable it)
07-14-2020 07:06 AM - edited 07-14-2020 07:09 AM
Here is a screen shot of the USER-ID Agent Setup on the FW. Probing is not enabled. These settings are the same after the upgrade as they were before the upgrade. No errors before the upgrade. I also have individual servers listed in the server monitoring section. I have 6 servers listed but only 4 of them are included in the errors I see. Not sure that screen shot is useful with by blackouts but I did include it.
07-14-2020 08:21 AM
Here is the reply from support. What I understand is engineering will change the severity of the error (It is currently high). Not a fix in my eyes, just makes the message disappear. We'll see what reply comes back.
"Making some research I found the same issue on a different case:
The feedback received from engineering was that when this log appears, it indicates wmic takes much time on receiving security logs from windows server most likely due to the low throughput.
Engineering are working on code change to reduce the severity of this alert and make it more clear for user as this is a common log which should not affect production.
This issue will be fixed on 9.0.12, 9.1.6. Both PAN-OS versions are expected by the end of Dec 2020 however this ETA is tentative and can change duo to QA testing and verification factors."
My reply back to the engineer was "Thanks I understand you saying “it indicates wmic takes much time on receiving security logs from windows server most likely due to the low throughput” but all 6 servers are on the same subnet. Shouldn’t I be seeing this message about all 6 servers if it was a low throughput issue?"
07-14-2020 10:47 AM
Thanks for updating us what PA says.
07-14-2020 12:08 PM
The last response I got is below. Nothing can be done until the fix in 9.0.12 which is slated for December 2020. Hope this information is useful.
"You right and that is an excellent question.
If engineering is saying that that there is a delay receiving security logs from the windows server when using wmi as transport protocol, I am only seeing the option that those other 2 AD's are not having that delay. In case there is no impact in user based policy you can safely ignored this alert and wait for the fix version on which this alert will be different. I understand the confusion here since the alert is not clear at all, but the background is pretty much that delay of receiving security logs from the Windows Server when using wmi as the transport protocol. Feel free to asked me any other question, it will be a pleasure."
07-14-2020 04:07 PM
Thank you so much!
This helped a lot. We have removed polling to the host which stopped the alerts.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
