This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our
Privacy Policy
We are having some issues with our remote sites as they browse the internet through the central site however they authenticate to Domain Controllers locally in the remote sites.
When we enter the remote site DC's in the pan-agent (which resides in the central site) the traffic generated by the agent when pulling the security event logs kills the 10Mbps WAN link.
Are there any recommended settings we can tweak which would minimize this traffic or is there a bandwidth limit we can set somewhere?
We are currently running pan-agent 3.1.2.
Our solution was to install a pan-agent at each remote site. The bandwidth required between pan-agent and the firewall is almost nothing compared to the bandwidth between pan-agent and the DC. The reason is that pan-agent needs to constantly read all of the security event log entries on the DC, but only needs to provide the results (list of usernames and IPs) to the firewall.
Our solution was to install a pan-agent at each remote site. The bandwidth required between pan-agent and the firewall is almost nothing compared to the bandwidth between pan-agent and the DC. The reason is that pan-agent needs to constantly read all of the security event log entries on the DC, but only needs to provide the results (list of usernames and IPs) to the firewall.
abelgard is correct and the agent will need to read all the events in the security log to detect the logon/logoff events. As a example, if your DC is generating 100MB log/hour then the agent will retrieve 100MB per hour. You can deploy an agent closer to the DC as suggested. The agent can also read the security log of exchange server(s) and typically, exchange server(s) are centrally located. If remote users are logging into your exchange server(s) and your exchange server(s) are centrally located, this is another option to consider.
Thanks.
It can support 100 agents but..
"only one agent per domain actually connects to the firewall at a time.
In other words, having multiple user-id agents connected to 1 firewall for 1 domain will only provide redunancy in case one of the agents goes down."
Does it mean that if our PA is connected to one pan-agent it will still recognise the users authenticating to a DC that is referenced on one of the backup agents?
Further down that post, there is a correction and you can have multiple agents connected at the same time. You can have agent1 monitoring DC1 in the core, agent2 monitoring DC2 at remote site A, agent3 monitoring DC3 at remote site B, and so on. Thanks.
"• Each UIA can connect to up to 100 Domain Controllers
• Each firewall can support up to 100 UIA’s
• Limit of 100 entries each in the Allow and Ignore list on the UIA"
In summary, it looks like we can have 100 agents connected.
Hi rmonvon, thanks for your help.
We are currently running PANOS 4.0.11 and UIA 3.1.2. I see all the pan-agents are connected and the primary one is only for retrieving group membership.
So the ip-user mappings are still picked up from all pan-agents.
I've done some testing in our lab and it seems to work.
Thanks again for your help.
What about deploying it straight at each DC and in the configuration set it to only read security log from localhost?
This way the only traffic is the one between PA and each DC/Pan-agent server (which would be very little compared to when the security logs is being tailed over the network between pan-agent and each DC its set to monitor).
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the
LIVEcommunity
as a whole!
The
LIVEcommunity
thanks you for your participation!
