This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User-ID-Agent Traffic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-ID-Agent Traffic

rrau
L3 Networker

‎09-24-2012 09:29 AM

We have user-id-agents on ou core DC's and all our local DC's (across the WAN).  We receive reports with high SMB traffic polling from the core DC -> local DC.  Anyway to eliminate or reduce?

0 Likes Likes
6 REPLIES 6

UhMayYeah
L5 Sessionator

‎09-24-2012 08:21 PM

Check the following settings on the User-ID Agents.

Enable WMI and Disable netbios lookups  (Recommended) .

File>Debug : Set the Debug level to None (Debugging could be set if needed).

Ref :https://live.paloaltonetworks.com/message/15354#15354

-Ameya

rrau
L3 Networker
In response to UhMayYeah

‎11-13-2012 07:51 AM

Hello Ameya, I have applied the recommended settings with no change in the high traffic reports.  Anything else that could be affecting this?

0 Likes Likes

shasnain
L4 Transporter
In response to rrau

‎11-13-2012 08:28 AM

Hi,

Please make sure customer local agent is only doing a user to ip mapping for its local DC subnet. It should not be doing a mapping of the remote DC subnet.

So if your agent is reading secuirty logs from one DC only  and you have muliple agents reading secuity logs from multiple DC, then you configure those agent on the pan and the PAN would read the user to ip mapping from all the agents.

Please do keep in mind that Communication between the DC and the Agent over the WAN is a bit chatty. Thats why make sure  local agent only doing user to ip mapping for its local DC subnet and not be doing a mapping of the remote DC subnet.

Thanks,

Syed Hasnain

rrau
L3 Networker
In response to shasnain

‎11-13-2012 01:12 PM

where is this setting?  we only have user-id agent on the core DC's

0 Likes Likes

rrau
L3 Networker
In response to shasnain

‎11-21-2012 06:18 AM

Syed, could you please tell me where I would apply that setting?

0 Likes Likes

mikand
L6 Presenter
In response to rrau

‎11-22-2012 01:34 AM

How does your settings look like?

If you run pan-agent directly on the Domain Controller servers I think you can set 127.0.0.1 as Domain Controller Address.

Then you limit in Allow List (and if needed in Ignore List aswell) which ip ranges your clients uses.

So if this particular DC only handles for example 10.0.1.0/24 then add this as Allow List.

One tricky part if your AD is distributed (regarding allow/ignore list) is if the local DC's dont answer to the client request any other DC can verify and log the ip<->user in its security log.

This gives if you have a 1:1 relation between PAN-agent and DC server (either dedicated machine or runned directly on the DC server) you will have less chat on the network (and if segmented (the local DC's refuse to answer login attempts from remote user of another site) the WMI chat straight to the clients will be less over WAN aswell).

0 Likes Likes
  • 3661 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks