User-ID-Agent Traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID-Agent Traffic

L3 Networker

We have user-id-agents on ou core DC's and all our local DC's (across the WAN).  We receive reports with high SMB traffic polling from the core DC -> local DC.  Anyway to eliminate or reduce?

6 REPLIES 6

L5 Sessionator

Check the following settings on the User-ID Agents.

Enable WMI and Disable netbios lookups  (Recommended) .

File>Debug : Set the Debug level to None (Debugging could be set if needed).

Ref :https://live.paloaltonetworks.com/message/15354#15354

-Ameya

Hello Ameya, I have applied the recommended settings with no change in the high traffic reports.  Anything else that could be affecting this?

Hi,

Please make sure customer local agent is only doing a user to ip mapping for its local DC subnet. It should not be doing a mapping of the remote DC subnet.

So if your agent is reading secuirty logs from one DC only  and you have muliple agents reading secuity logs from multiple DC, then you configure those agent on the pan and the PAN would read the user to ip mapping from all the agents.

Please do keep in mind that Communication between the DC and the Agent over the WAN is a bit chatty. Thats why make sure  local agent only doing user to ip mapping for its local DC subnet and not be doing a mapping of the remote DC subnet.

Thanks,

Syed Hasnain

where is this setting?  we only have user-id agent on the core DC's

Syed, could you please tell me where I would apply that setting?

How does your settings look like?

If you run pan-agent directly on the Domain Controller servers I think you can set 127.0.0.1 as Domain Controller Address.

Then you limit in Allow List (and if needed in Ignore List aswell) which ip ranges your clients uses.

So if this particular DC only handles for example 10.0.1.0/24 then add this as Allow List.

One tricky part if your AD is distributed (regarding allow/ignore list) is if the local DC's dont answer to the client request any other DC can verify and log the ip<->user in its security log.

This gives if you have a 1:1 relation between PAN-agent and DC server (either dedicated machine or runned directly on the DC server) you will have less chat on the network (and if segmented (the local DC's refuse to answer login attempts from remote user of another site) the WMI chat straight to the clients will be less over WAN aswell).

  • 3185 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!