Managing bandwidth throttling
You can configure throttles to limit the bandwidth and the number of concurrent connections that the Tanium Server or Tanium Zone Server uses to send data to Tanium Clients. In deployments where numerous Tanium Clients connect with the server at the same time to download sensors and packages, spikes in bandwidth usage might occur. Throttles prevent the spikes from degrading network performance by ensuring that the Tanium Server or Zone Server never exceeds a specific bandwidth across your entire network or in specific subnets when sending Tanium data. To enforce the limits, the server delays sending data that would exceed the maximum bandwidth and rejects connections beyond the allowed maximum number.
Only users who have the Administrator reserved role can see and use the Configuration > Bandwidth Throttling page.
When you configure throttles, strike a balance between providing the Tanium Server enough resources (bandwidth and concurrent connections) to complete tasks in a reasonable time frame and mitigating the impact of those tasks on your network. Setting limits too low might prevent the Tanium Server from sending all the sensors and packages that endpoints need in time to respond to questions and perform actions. Setting limits too high might allow spikes in Tanium traffic to hinder other tasks that the endpoints must perform. Therefore, work with your network administrator and Tanium Technical Account Manager (TAM) to determine the following aspects of your network:
- Bandwidth trends: Evaluate bandwidth trends for data that the Tanium Server sends to endpoints. The trends will enable you to gauge how much the traffic affects your network and determine the maximum resources that the Tanium Server requires for sending the data. You can configure separate throttles for all data that the Tanium Server sends and for sensor or package data. Note that the throttles for all data must accommodate every type of outbound data (such as registration information), not just sensor and package data. For example, if you set the sensors bandwidth throttle to 200 megabits per second (Mbps) and the packages throttle to 400 Mbps, you must set the all-data throttle sufficiently above 600 Mbps (or leave the throttle unconfigured) to accommodate all additional data types. Work with your TAM to determine the throttles required for all data types.
- Site throttles: Determine whether you need site throttles: subnet-specific throttles that are more restrictive than the throttles for the rest of your network. For example, you might want to set a lower bandwidth limit for Tanium traffic in sites that are dedicated to high priority tasks or that experience more non-Tanium traffic. Note that more restrictive throttles override less restrictive ones when multiple throttles apply to the same Tanium Server-to-endpoint connections. For example, if you set a site-specific throttle to 1 Mbps and the global (network-wide) throttle to 5 Mbps, the Tanium Server applies the 1 Mbps throttle to the site.
- Overlapping IP address ranges: Determine whether the sites that require separate throttles have overlapping IP address ranges. Only the throttle for the site with the smallest IP address range applies to an endpoint that has an address within the ranges of multiple sites. For example, the endpoints in subnet 192.168.2.0/24 are a small subset of the endpoints in subnet 192.168.2.0/8. Therefore, the 192.168.2.0/24 site throttle would override the 192.168.2.0/8 site throttle for an endpoint that is in both subnets, such as IP address 192.168.2.1.
Configure bandwidth and connection throttles for the data that the Tanium Server sends to all the endpoints in your network. Repeat these steps for each data type that requires a distinct throttle: all data combined (packages, sensors, and all other types), just package files, or just sensors.
- Go to Configuration > Tanium Server > Bandwidth Throttling.
- In the Global Throttles section, click Edit beside the data type you want to throttle.
- Enter the maximum bandwidth in Mbps.
For a new Tanium Server installation, the default is 0 (no limit) for all data, 45 Mbps for packages, and 45 Mbps for sensors. Existing settings are preserved after upgrades.
- Enter the maximum number of concurrent Tanium Server-to-endpoint connections.
For a new Tanium Server installation, the default is 0 (no limit) for all data, 300 for packages, and 10 for sensors. Existing settings are preserved after upgrades.
- Save your changes.
Configure bandwidth throttles for the data that the Tanium Server sends to specific Tanium Client subnets.
Base throttles on local or NAT-translated IP addresses
When defining sites for bandwidth throttling, you can specify local or NAT-translated IP addresses, but not both. By default, the Tanium Server treats the IP addresses as NAT-translated. If you need to change this setting:
- Go to Administration > Global Settings.
- Select site_throttles_use_local_ip and click Edit.
- Set the value to 0 (NAT IP addresses) or 1 (local IP addresses).
- Ensure the setting Affects the Server (Tanium Server or Zone Server) and save your changes.
Add a site for each group of Tanium Client subnets that require the same bandwidth throttles.
- Go to Configuration > Tanium Server > Bandwidth Throttling.
In the Site Throttles section, click Add Site.
Enter a Site Name to identify the site.
Enter one or more Subnets in CIDR format (such as 192.168.2.0/24 or 2001:db8::/32). Enter one subnet per line.
Select whether to apply throttles for the site to the Total bandwidth shared across all subnets in bundle or to the Individual bandwidth of each subnet in bundle.
Save your changes. The Tanium Console then displays each subnet you added to the site.
Add site throttles
Configure site-specific bandwidth throttles that apply to all data combined (packages, sensors, and all other types), just package files, or just sensors.
Go to Configuration > Tanium Server > Bandwidth Throttling, and then scroll down to the Site Throttles section, which has a <site_name> subsection for each site that you added.
- For each data type that you want to throttle, click Add in the <site_name> subsection, enter the maximum bandwidth in Mbps (default is 0, which specifies no limit), and save your changes.
After you configure bandwidth throttles, the Configuration > Tanium Server > Bandwidth Throttling page displays the current delays (Queue delay values) that the Tanium Server applies to enforce the throttles on the data it sends to endpoints. For example, if you set the bandwidth limit for the Global Throttle for All Data to 1 Mbps and the Tanium Server starts sending 1 megabit of data, the Global Throttle for All Data section initially displays a Queue delay of 1,000 milliseconds (ms). After the download completes, the Queue delay drops to 0 ms until the Tanium Server sends more data. The Queue delay uses the following icons to indicate the severity level of the delay. The severity levels indicate the likelihood that the delay will prevent the Tanium Server from sending all the sensors and packages that endpoints need in time to respond to questions and perform actions.
0 to 9,999 ms: Little or no risk of disrupting Tanium functions.
10,000 to 44,999 ms: Moderate risk of disrupting Tanium functions.
45,000 ms or more: High risk of disrupting Tanium functions.
To see the delays associated with specific subnets within a site, hover over a subnet in the corresponding <site_name> subsection.
Last updated: 3/31/2020 3:59 PM | Feedback