09-24-2012 09:29 AM
We have user-id-agents on ou core DC's and all our local DC's (across the WAN). We receive reports with high SMB traffic polling from the core DC -> local DC. Anyway to eliminate or reduce?
09-24-2012 08:21 PM
Check the following settings on the User-ID Agents.
Enable WMI and Disable netbios lookups (Recommended) .
File>Debug : Set the Debug level to None (Debugging could be set if needed).
11-13-2012 07:51 AM
Hello Ameya, I have applied the recommended settings with no change in the high traffic reports. Anything else that could be affecting this?
11-13-2012 08:28 AM
Please make sure customer local agent is only doing a user to ip mapping for its local DC subnet. It should not be doing a mapping of the remote DC subnet.
So if your agent is reading secuirty logs from one DC only and you have muliple agents reading secuity logs from multiple DC, then you configure those agent on the pan and the PAN would read the user to ip mapping from all the agents.
Please do keep in mind that Communication between the DC and the Agent over the WAN is a bit chatty. Thats why make sure local agent only doing user to ip mapping for its local DC subnet and not be doing a mapping of the remote DC subnet.
11-13-2012 01:12 PM
where is this setting? we only have user-id agent on the core DC's
11-21-2012 06:18 AM
Syed, could you please tell me where I would apply that setting?
11-22-2012 01:34 AM
How does your settings look like?
If you run pan-agent directly on the Domain Controller servers I think you can set 127.0.0.1 as Domain Controller Address.
Then you limit in Allow List (and if needed in Ignore List aswell) which ip ranges your clients uses.
So if this particular DC only handles for example 10.0.1.0/24 then add this as Allow List.
One tricky part if your AD is distributed (regarding allow/ignore list) is if the local DC's dont answer to the client request any other DC can verify and log the ip<->user in its security log.
This gives if you have a 1:1 relation between PAN-agent and DC server (either dedicated machine or runned directly on the DC server) you will have less chat on the network (and if segmented (the local DC's refuse to answer login attempts from remote user of another site) the WMI chat straight to the clients will be less over WAN aswell).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!