08-06-2012 08:48 AM
We are having some issues with our remote sites as they browse the internet through the central site however they authenticate to Domain Controllers locally in the remote sites.
When we enter the remote site DC's in the pan-agent (which resides in the central site) the traffic generated by the agent when pulling the security event logs kills the 10Mbps WAN link.
Are there any recommended settings we can tweak which would minimize this traffic or is there a bandwidth limit we can set somewhere?
We are currently running pan-agent 3.1.2.
08-06-2012 01:23 PM
Our solution was to install a pan-agent at each remote site. The bandwidth required between pan-agent and the firewall is almost nothing compared to the bandwidth between pan-agent and the DC. The reason is that pan-agent needs to constantly read all of the security event log entries on the DC, but only needs to provide the results (list of usernames and IPs) to the firewall.
08-06-2012 01:23 PM
Our solution was to install a pan-agent at each remote site. The bandwidth required between pan-agent and the firewall is almost nothing compared to the bandwidth between pan-agent and the DC. The reason is that pan-agent needs to constantly read all of the security event log entries on the DC, but only needs to provide the results (list of usernames and IPs) to the firewall.
08-06-2012 09:09 PM
abelgard is correct and the agent will need to read all the events in the security log to detect the logon/logoff events. As a example, if your DC is generating 100MB log/hour then the agent will retrieve 100MB per hour. You can deploy an agent closer to the DC as suggested. The agent can also read the security log of exchange server(s) and typically, exchange server(s) are centrally located. If remote users are logging into your exchange server(s) and your exchange server(s) are centrally located, this is another option to consider.
Thanks.
08-07-2012 01:14 AM
Hi guys,
Thanks for the responses. Please correct me if I'm wrong but the PA only references one agent as the active agent for a domain.
So if it references an agent in the central site, which doesn't list all the DC's how does the agent at the remote site help in this situation?
08-07-2012 09:19 AM
It can support 100 agents but..
"only one agent per domain actually connects to the firewall at a time.
In other words, having multiple user-id agents connected to 1 firewall for 1 domain will only provide redunancy in case one of the agents goes down."
Does it mean that if our PA is connected to one pan-agent it will still recognise the users authenticating to a DC that is referenced on one of the backup agents?
08-07-2012 09:41 AM
Further down that post, there is a correction and you can have multiple agents connected at the same time. You can have agent1 monitoring DC1 in the core, agent2 monitoring DC2 at remote site A, agent3 monitoring DC3 at remote site B, and so on. Thanks.
"• Each UIA can connect to up to 100 Domain Controllers
• Each firewall can support up to 100 UIA’s
• Limit of 100 entries each in the Allow and Ignore list on the UIA"
In summary, it looks like we can have 100 agents connected.
08-08-2012 01:20 AM
Ok so this would require us to be running UIA 4.1.x. Does this also mean we need to be running PANOS 4.1.x? We are currently running 4.0.11.
08-08-2012 11:21 AM
It is supported for PAN-S 4.0 as well. You don't have to upgrade to 4.1. The UIA should be the same 4.x release train to match the 4.x of your PA devices. Thanks.
08-09-2012 04:22 AM
There doesn't seem to be a 4.0.x UIA agent? It goes from 3.1.2 -> 4.1.0?
08-09-2012 05:31 AM
Please use the 3.1.2-AD agent as it is forward compatible. Thanks.
08-09-2012 08:00 AM
Hi rmonvon, thanks for your help.
We are currently running PANOS 4.0.11 and UIA 3.1.2. I see all the pan-agents are connected and the primary one is only for retrieving group membership.
So the ip-user mappings are still picked up from all pan-agents.
I've done some testing in our lab and it seems to work.
Thanks again for your help.
08-20-2012 03:21 PM
What about deploying it straight at each DC and in the configuration set it to only read security log from localhost?
This way the only traffic is the one between PA and each DC/Pan-agent server (which would be very little compared to when the security logs is being tailed over the network between pan-agent and each DC its set to monitor).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
