Imperva Cyber Community

Expand all | Collapse all

What to suggest to client, for agent throughput optimization?

  • 1.  What to suggest to client, for agent throughput optimization?

    Posted 23 days ago
    The client wants to decrease the throughput of agent - gateway traffic. Even with agent monitoring rules, the agent sends data to the gateway for a decision. Any suggestions?
    #DatabaseActivityMonitoring

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------


  • 2.  RE: What to suggest to client, for agent throughput optimization?

    Imperva Employee
    Posted 23 days ago
    Yes, if you look at the AMR's you will see the first few are agent criteria rules. This means the agent can make the decision to exclude without needing the GW to make the decision. These are the most effective. The main suspects for excessive traffic are DB maintenance jobs - if we can isolate the source you might be able to configure the source IP or process ID. Any way the agent criteria rules are the most effective

    ------------------------------
    Phil Klassen
    ------------------------------



  • 3.  RE: What to suggest to client, for agent throughput optimization?

    Posted 23 days ago
    Agent Criteria Rules do not seem to work. The client still gets events from excluded IP, tried in lab also. :/

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 4.  RE: What to suggest to client, for agent throughput optimization?

    Imperva Employee
    Posted 23 days ago
    was there any other match criteria besides IP

    ------------------------------
    Phil Klassen
    ------------------------------



  • 5.  RE: What to suggest to client, for agent throughput optimization?

    Posted 22 days ago
    Only IP, i tried on lab with some  process names and paths, but no luck.

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 6.  RE: What to suggest to client, for agent throughput optimization?

    Imperva Employee
    Posted 22 days ago
    That is very strange. The only thing I can think of is that interface that the IP is using to access the DB is not defined as a data channel under the agent.
    The other thing I can think of - This isnt an RDP connection is it - those are seen as local connections 

    You may need to open a case if neither of those help

    ------------------------------
    Phil Klassen
    ------------------------------



  • 7.  RE: What to suggest to client, for agent throughput optimization?

    Posted 21 days ago
    Will do.
    Thank you :)

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 8.  RE: What to suggest to client, for agent throughput optimization?

    Posted 16 days ago
    There is a knowledgebase article about the issue. It may be relevant with this. KB link is https://imperva.my.salesforce.com/kA3D0000000CeE4?popup=true



    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 9.  RE: What to suggest to client, for agent throughput optimization?

    Posted 16 days ago
    Hello, Yes I am aware of the article and double-checked. It isn't the fictitious source IP, but IP of the antivirus, siem etc.

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 10.  RE: What to suggest to client, for agent throughput optimization?

    Posted 15 days ago
    Hello,

    Did you ever try adding more than one criterion to AMR?

    There is another KB article about AMR you may look at -> https://imperva.my.salesforce.com/kA1D0000000Gpnc?popup=true

    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 11.  RE: What to suggest to client, for agent throughput optimization?

    Posted 15 days ago
    I cant see the link you provided. Can you please share the link as below:?


    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 12.  RE: What to suggest to client, for agent throughput optimization?

    Posted 15 days ago
    It is here -> https://www.imperva.com/sign_in.asp?retURL=/articles/Reference/Agents--Limitations-of-Agent-Monitoring-Rules

    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 13.  RE: What to suggest to client, for agent throughput optimization?

    Posted 15 days ago
    Since the only agent criteria are these:

    the client wants to exclude only specific IP and not processes or port. Also, no agent restart is done.


    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 14.  RE: What to suggest to client, for agent throughput optimization?

    Posted 15 days ago
    Edited by cezmi çal 15 days ago
    As I understand from the last article, only criterion is not supported if I am not wrong.

    You may test it with more than one criterion on your lab environment and share the results.

    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 15.  RE: What to suggest to client, for agent throughput optimization?

    Posted 4 days ago
    Hello,
    @cezmi çal, sorry for the late reply. Due to throughput issues, the client changed the agent configuration from network + local, to local. I will update the thread when the issue will be resolved.

    Regards,


    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------