Huge data transfers between remote DC and PAN Agent

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Huge data transfers between remote DC and PAN Agent

Not applicable

Hi Team,

We have had issue with huge data transfers between PAN agent and remote DC's

We have observed lot of data activity between the PAN Agent and other Domain Controller servers on the WAN.

For instance, in the last one hour our Router accounting, and WAN Graphs, has shown 830 Mb of file access from one of our
remote DC, which is connected via WAN MPLS to PAN agent at our HO.

Another of remote DC's over the WAN, for last 24 hours, shows 19 GB of data transfer !!

Could this mean some fine tuning has to be done on PAN agent or is this supposed to be normal.

What exactly is this huge ammount of data transfer, and why so many GB !!


Kindly advise at the earliest.

Rgds,

Tauseef

9 REPLIES 9

Not applicable

Hi,

I have tuned the timers for PAN agent, Please find attached.

Would this have any issue. Please advise.

Tauseef

Generally speaking you will want to have a Pan Agent at the site with your remote domain controller(s) to cut down on the amount of traffic over your WAN links.

The default timer for reading the security log is one second. In your example timer configuration you have set this interval to 600 seconds (10 minutes). This means that there will be up to a ten minute delay between a user logon and the firewall receiving an update that includes the user-to-ip-mapping for this logon event. This will obviously have some impact on your end-users as they may have to wait up to 10 minutes before they match the correct security policy based upon their user ID and group membership.

-Benjamin

L4 Transporter

ta185020 wrote:

Hi Team,

We have had issue with huge data transfers between PAN agent and remote DC's

We have observed lot of data activity between the PAN Agent and other Domain Controller servers on the WAN.

For instance, in the last one hour our Router accounting, and WAN Graphs, has shown 830 Mb of file access from one of our
remote DC, which is connected via WAN MPLS to PAN agent at our HO.

Another of remote DC's over the WAN, for last 24 hours, shows 19 GB of data transfer !!

Could this mean some fine tuning has to be done on PAN agent or is this supposed to be normal.

What exactly is this huge ammount of data transfer, and why so many GB !!


Kindly advise at the earliest.

Rgds,

Tauseef

Tauseef.

If you think about it, the PAN Agent reads *every* event in the security log - which means that if you're accessing a remote DC with your agent, you're going to get a lot of traffic in a busy network.

I believe best practise for this situation is to run at least one agent per SITE - so have one of the DC's at your remote site running an agent and reporting back to the PA firewall, rather than having an agent in your central site connecting to the DC at the remote site.

Careful configuration of the agent at the remote site (I.E. only have the agent for the site monitoring the DC's located in that site) would minimise traffic.

You can configure your firewall to listen for multiple agents - up to 5 per firewall, I believe - so having more than one running shouldn't be a real issue, unless you're worried about resources on your remote DC.

Cheers.

L3 Networker

We are seeing this as well -- in fact, over a three-week period we saw UIA-to-DC traffic volumes in the order of terabytes (!!!) on our network. Seems the busier the site, the bigger the traffic. So the approach we are taking is to put the agents as close to (or possibly even on) the DCs as possible.

In contrast, over the same three-week period the traffic between the agent and the firewall itself is only 130 MB. It's a good trade-off for having to run several agents. Each firewall should handle up to 100 UIAs and each UIA can handle 10 DCs, or a max 1,000 domain controllers per firewall.

Hope this helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!