Imperva Cyber Community

communities_1.jpg
 View Only
Expand all | Collapse all

What to suggest to client, for agent throughput optimization?

  • 1.  What to suggest to client, for agent throughput optimization?

    Posted 11-13-2019 07:47
    The client wants to decrease the throughput of agent - gateway traffic. Even with agent monitoring rules, the agent sends data to the gateway for a decision. Any suggestions?
    #DatabaseActivityMonitoring

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------


  • 2.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-13-2019 08:49
    Yes, if you look at the AMR's you will see the first few are agent criteria rules. This means the agent can make the decision to exclude without needing the GW to make the decision. These are the most effective. The main suspects for excessive traffic are DB maintenance jobs - if we can isolate the source you might be able to configure the source IP or process ID. Any way the agent criteria rules are the most effective


  • 3.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-13-2019 10:27
    Agent Criteria Rules do not seem to work. The client still gets events from excluded IP, tried in lab also. :/

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 4.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-13-2019 14:24
    was there any other match criteria besides IP


  • 5.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-14-2019 07:21
    Only IP, i tried on lab with some  process names and paths, but no luck.

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 6.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-14-2019 16:36
    That is very strange. The only thing I can think of is that interface that the IP is using to access the DB is not defined as a data channel under the agent.
    The other thing I can think of - This isnt an RDP connection is it - those are seen as local connections 

    You may need to open a case if neither of those help


  • 7.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-15-2019 07:37
    Will do.
    Thank you :)

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 8.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-20-2019 02:06
    There is a knowledgebase article about the issue. It may be relevant with this. KB link is https://imperva.my.salesforce.com/kA3D0000000CeE4?popup=true



    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 9.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-20-2019 03:20
    Hello, Yes I am aware of the article and double-checked. It isn't the fictitious source IP, but IP of the antivirus, siem etc.

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 10.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-21-2019 04:44
    Hello,

    Did you ever try adding more than one criterion to AMR?

    There is another KB article about AMR you may look at -> https://imperva.my.salesforce.com/kA1D0000000Gpnc?popup=true

    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 11.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-21-2019 09:55
    I cant see the link you provided. Can you please share the link as below:?


    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 12.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-21-2019 10:01
    It is here -> https://www.imperva.com/sign_in.asp?retURL=/articles/Reference/Agents--Limitations-of-Agent-Monitoring-Rules

    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 13.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-21-2019 10:12
    Since the only agent criteria are these:

    the client wants to exclude only specific IP and not processes or port. Also, no agent restart is done.


    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 14.  RE: What to suggest to client, for agent throughput optimization?

    Posted 11-21-2019 10:30
    Edited by Cezmi Cal 11-21-2019 10:31
    As I understand from the last article, only criterion is not supported if I am not wrong.

    You may test it with more than one criterion on your lab environment and share the results.

    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 15.  RE: What to suggest to client, for agent throughput optimization?

    Posted 12-02-2019 04:24
    Hello,
    @Cezmi Cal, sorry for the late reply. Due to throughput issues, the client changed the agent configuration from network + local, to local. I will update the thread when the issue will be resolved.

    Regards,


    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------