PAN User ID agent consuming bandwidth

Reply
EdwinD
L3 Networker

PAN User ID agent consuming bandwidth

I have gone through these forums, and looked at the various admin guides, but I still need help.  Is there really not *detailed* guide to this software?

I have the user-id agent 4.1.4 installed on two domain controllers, for HA, and the Palo Alto firewall pointing to both user-id agents.  That seems to be working.

The problem is that the user agents are consuming many GB per hour across our WAN network links talking to the remote AD DCs.

From looking at the admin GUI, I would think that I could install the user-id agent onto each of my DCs, configure the user agent to look only at the DC it is installed onto, and point the Palo Alto Firewall to each DC.

From using user agents from Surfcontrol, M86, and others, I am aware that the potential exists for a user in remote location #5 to do something that creates an authentication ticket on the remote DC security logs at location #2.   Then the user-id agents at location #5 and #2 could then have conflicting information about where that user is signed on.

So I would assume that I could solve that issue by having each user-id agent monitor only the network that is on.  So location #5 would monitor 192.168.5.0/24 and location #2 would monitor 192.168.2.0/24.   That does introduce the problem that if location #5's user agent were to go offline, I would possible have NO user agent monitoring locaiton #5 and thus user mapping would quit.   However, in my case, location #5's DC is a Citrix Branch Repeater acting as a DC and a layer 2 bridge.  If it goes down, I have big problems.

Anyway, that all seems plausable until I come across this post;

https://live.paloaltonetworks.com/message/3557#3557

In particular, it says the Palo Alto firewall will select one User ID agent, and that is what it polls.  Not the others.   So all of this fancy design I have in my head would not work.  I'm back to my original problem, the user-id agent is consuming many GB per hour.  How do I solve this issue?


Accepted Solutions
essnet
L4 Transporter

You are right Andreas, firewall will ask all its agents if it knows user

behind an IP

View solution in original post


All Replies
essnet
L4 Transporter

PAN recommanded me to run 1 agent per remote location unless I didn't care for bandwidth , they were right because if you enable AD logs reading, it will eat between 200Kbit to 3Mbit in worst case for me.

EdwinD
L3 Networker

So can you give me some detail on what you did, please?

Did you do what I said, install a user agent at each location, and have it read only it's local DC's logs?

Does that actually work?   The single central Palo Alto Firewall can query EACH user-agent for user to IP mappings?

My environment is a signle AD domain/forest with member DC's at each remote location.  A single central PA firewall, at the center of a star network.  All web traffic comes back to the center of the star, out the single PA firewall.

Thank you

essnet
L4 Transporter

Yes, a single firewall can be connected up to 100 agents if needed.

mikand
L6 Presenter

Would be interresting if someone have deployed this in large environments.

If we assume the higher bandwidth for a network with 10.000 concurrent users (3Mbit/s security logs per DC) and you have lets say 100 DC's at 50 sites this would end up with shitloads of security logs being sent over your network. Also since you would need at least two panagentservers (for redundancy).

This gives roughly 3Mbit/s * <number of DC> * <number of panagentservers>, in this case: 3 * 100 * 2 = 600Mbit/s accross your network (and even worse if you feel you need more than two panagent servers)..

For performance reasons I have (until now) assumed that an optimization one can do for this is to install the panagent service directly on each DC and lock it to only read security logs from localhost (eg. no network traffic for the security logs).

The main reason for this is that the security logs isnt replicated between the AD/DC servers and when a client logins to the network this is only logged in the DC closest to the client (well the first DC to reply for the broadcast the client is sending).

But this optimization will totally break if the PAN box will only communicate with one panagent service at a time...

I would imagine that bandwidth needed for panagent <-> PAN box is in kbit/s size (panagent will notify the PAN box when a user shows up under new ip) compared to panagent <-> DC which is in several Mbit/s depending on useractivity in your network (basically a remote "tail -f" of the security log of each DC).

Edit: The question is, even if each PAN box can have a maximum of 100 panagents configured - can it communicate with them all at the same time or will it only select one at a time (making the distributed load described above impossible to achive)?

EdwinD
L3 Networker

For HA, I setup 3 user agents.  One in each of our campus data centers.  With them setup to talk to each remote location, 10 in all, I'm seeing 10Mbps just for user agent traffic.

I have Citrix Branch Repeater, so this traffic compresses around 30x-40x per the stats.  And then on top of that, it's cache is able to reduce bandwidth so that the MRTG charts on the WAN interfaces don't even see a difference in utilization.

But this isn't acceptable.  The branch repeaters reboot after applying Windows patches, and the connections aren't accelerated until I reboot the user agent service.  I end up with full WAN pipes..

I'm trying the solution of user agent on each DC.   Hopefully the PA firewall doesn't just pick ONE user agent and talk only to it, as suggested in this forum.  Otherwise, I've got issues..

essnet
L4 Transporter

I started this way with 12 remote sites and stopped in emergency because

most of them had only 2-4mbits WAN links which got saturated by central

agent. So I had to switch to local agent model which is using very low

amount of bandwidth

essnet
L4 Transporter

You are right Andreas, firewall will ask all its agents if it knows user

behind an IP

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!