UaService (PA User Agent) consuming 50% of bandwith capacity

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

UaService (PA User Agent) consuming 50% of bandwith capacity

L0 Member

we have since a couple of weeks detected an issue with our network bandwith which looked to be caused by domain controllers.  if we looked further into detail the domaincontrollers were replicating CIFS at a speed of approx 200kbs/400kbs  (which is about 50% of our 2Mbit lines which we have between our plants).  Notice that we have the next setup:

each of our factories is equiped with 2 stand-alone domain controllers +  1 virtual domain controller in our central datacenter (most plants have a 2Mbit connection to our central datacenter).  and the PA user agent in our central datacenter looks to be constantly replicating data with the PA user agents (or DC's) in our remote plants.

if i take a closer look with Process Monitor, the UAService.exe is constantly "reading" data from \\<serverip>\PIPE\EVENTVIEWER which looks to cause the massive traffic on our network. at the moment between 30% and 50% of our total WAN network capacity looks to be "eaten" by the PA user agent.

is there anything we can change in the configuration to redruce this traffic?  below you can see a part of the user agent XML file which contains the timeouts and session details:

<server-monitor security-log-enabled="1" security-log-interval="3" session-enabled="0" session-interval="10" edir-interval="30" />
<probing wmi-enabled="0" netbios-enabled="0" interval="20" init-retry-delay="3" />
<timeout enabled="1" entry-timeout="720" />
<listening-port>5007</listening-port>
<xml-api enabled="0" xml-api-port="5006" />
<ip-cache enabled="1" />
5 REPLIES 5

L0 Member

found a topic with the same issue: https://live.paloaltonetworks.com/message/15709

however i'm still wondering what the best setup in our case would be.  Do we need to keep the PA user agents at the remote sites and disable one of the 2 agents, or will the best solution be to only keep the user agent in our central data center and let it communicate with the domaincontrollers in the remote site?

Amount of bandwidth needed depends on how many clients you have, how active they are and how much bandwidth you can spare on your WAN.

The PAN-agent is tailing the security log of the DC's its configured to follow which with many users doing all sorts of thing in your network will be chatty.

So in your case if WAN is an issue you should install PAN-agent on a dedicated server sitting in the same switch as your remote DC, or even better - install the PAN-agent straight on the DC itself.

Then when you configure it you configure it to only tail the security log from localhost (the DC server PAN-agent is installed on) and as an optimization limit client ip's to the ranges which this DC will handle (depending on how your DC structure is setup - DC as in Domain Controller in this case).

For better hitrate you can configure PAN-agent to query clients using WMI (will use just slightly more bandwidth but should be far less than tailing security logs over the network).

Then in your PA you configure your PA to query each PAN-agent which should be far less traffic than before (because PA caches the results and the stuff the PAN-agent sends to PA is just user/ip mappings).

Hello,

You should probably start to increase the timer "security-log-interval" with a higher value. 30 seconds or more...

That's the interval PAN-agent is tailing the security log of the DC.

Regards,

HA

L0 Member

thanks both,  we have switched off both the virtual DC and one of the 2 local DCs and this seems to have decreased the traffic in one direction by almost 100% and in the other direction by 75%!   We have been thinking over reducing the security-log-internal already but weren't sure yet about how far we could go before this would result in issues.

I dont think that should matter that much bandwidth wise.

Unless the PAN-agent copy the whole security log each time.

Hopefully it can use some kind of pointer regarding from which row or time it want to read the log which would give that either you download (as example) 1 megabyte each minute or 16.7 kbyte (1/60) each second (if we compare setting this value to read each 60 seconds vs each 1 second).

  • 3347 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!