Managing bandwidth throttles

Bandwidth throttling overview

You can configure throttles to limit the bandwidth and the number of concurrent connections that Tanium Cloudthe Tanium Server or Tanium Zone Server uses to send data to Tanium Clients. In deployments where numerous Tanium Clients connect with Tanium Cloudthe server at the same time to download sensors and packages, spikes in bandwidth usage might occur. Throttles prevent the spikes from degrading network performance by ensuring that Tanium Cloud the server never exceeds a specific bandwidth across your entire network or in specific subnets when sending Tanium data. To enforce the limits, Tanium Cloud the server delays sending data that would exceed the maximum bandwidth and rejects connections beyond the allowed maximum number.

Bandwidth throttles control only the rate at which Tanium Cloud the Tanium Server or Zone Server sends data to Tanium Clients, not the rate at which the Tanium Clients send data to Tanium Cloud the server. The throttles do not affect data exchanges between any other Tanium components, such as Tanium Console traffic between user systems and Tanium Cloud the Tanium Server.

In an active-active Tanium Server deployment, throttle limits are not cumulative across the server cluster. For example, if you configure a global throttle of 100 Mbps and 500 connections, those values apply to each server instead of being load balanced over both.

For the user role permissions to see and manage bandwidth throttle configurations, see Manage bandwidth throttling.

Before you begin

When you configure throttles, strike a balance between providing Tanium Cloud the Tanium Server or Zone Server enough resources (bandwidth and concurrent connections) to complete tasks in a reasonable time frame and mitigating the impact of those tasks on your network. Setting limits too low might prevent Tanium Cloud the server from sending all the sensors and packages that endpoints need in time to respond to questions and perform actions. Setting limits too high might allow spikes in Tanium traffic to hinder other tasks that the endpoints must perform. Therefore, work with your network administrator and Tanium Support (see Contact Tanium Support) to evaluate the following aspects of your network.

Bandwidth trends

Evaluate bandwidth trends for data that Tanium Cloud the Tanium Server sends to endpoints. The trends will enable you to gauge how much the traffic affects your network and determine the maximum resources that the server requires for sending the data. You can configure separate throttles for all data that Tanium Cloud the server sends and for sensor or package data. Note that the throttles for all data must accommodate every type of outbound data (such as registration information), not just sensor and package data. Work with your Tanium Support (see Contact Tanium Support) to determine the throttles required for all data types.

The best practice is leave the all-data throttle unconfigured so that no limit applies to it. If configuring the all-data throttle is necessary, set it to at least 150 megabits per second (Mbps) above the sum of the sensor and package throttles. For example, if you set the sensors bandwidth throttle to 200 Mbps and the packages throttle to 400 Mbps, set the all-data throttle to 750 Mbps or higher to accommodate all additional data types.

Global throttles

Determine the appropriate bandwidth and connection throttles for the data that Tanium Cloudthe Tanium Server or Zone Server sends to all the subnets in your network. If specific sites require more restrictive limits than the global throttles, you can configure exceptions through site throttles.

Review global throttles on a monthly basis and update them if necessary. See Tanium Maintenance User Guide: Review and update global bandwidth throttles.

Site throttles

Determine whether you need subnet-specific throttles that are more restrictive than the throttles for the rest of your network. Site throttles are useful if lower limits are required for Tanium traffic in sites that are dedicated to high priority tasks or that experience more non-Tanium traffic. For example, consider a deployment that applies the following bandwidth limits for sensors:

  • Global throttle = 200 Mbps

  • Site A throttle = 150 Mbps

  • Site B throttle = 100 Mbps

  • Site C = no site-specific throttle is configured

As long as the aggregate bandwidth across all the sites does not exceed 200 Mbps, Site A or B supports the maximum bandwidth that is specified in their site-specific throttles, while Site C is subject only to the global throttle. However, if the aggregate bandwidth reaches the global limit of 200 Mbps, Tanium Cloudthe Tanium Server prevents additional bandwidth even for sites that have not reached their individual limits. For example, if the bandwidth usage of Site A reaches 150 Mbps, sites B and C can use no more than 50 Mbps between them. Tanium CloudThe server balances the available bandwidth across sites on a first-request, first-serve basis.

Review site throttles on a quarterly basis and update them if necessary. See Tanium Maintenance User Guide: Review and update site bandwidth throttles.

Zone Server throttles

In a deployment with Tanium Zone Servers, determine whether they require throttles that differ from the Tanium Servers. For example, the connections between a Zone Server and Tanium Clients in external networks might support and need more or less bandwidth than the connections between the Tanium Server and Tanium Clients in internal networks.

Overlapping IP address ranges

Determine whether the sites that require separate throttles have overlapping IP address ranges. Only the throttle for the site with the smallest IP address range applies to an endpoint that has an address within the ranges of multiple sites. For example, the endpoints in subnet 192.168.2.0/26 are a small subset of the endpoints in subnet 192.168.2.0/24. Therefore, the 192.168.2.0/26 site throttle override the 192.168.2.0/24 site throttle for an endpoint that is in both subnets, such as IP address 192.168.2.1. If multiple subnets throttles have overlapping IP address ranges that are equal in size, the throttle that was configured most recently overrides the other throttles for the overlapping IP addresses.

Configure global throttles

Configure Global throttles on the bandwidth and number of connections for each data type that requires a distinct throttle: all data combined (packages, sensors, and all other types), just package files, or just sensors. By default, global throttles apply to both Tanium Servers and Zone Servers, but you can configure Zone Server-specific throttles if necessary. Existing settings are preserved after upgrades.

  1. From the Main menu, go to Administration > Configuration > Bandwidth Throttles.
  2. In the Global Throttles section, click Edit Edit beside the data type that you want to throttle.
  3. Enter the maximum bandwidth in Mbps. For a new Tanium Cloud instance Tanium Server installation, the default is 0 (no limit) for all data types combined, 800 Mbps for packages, and 160 Mbps for sensors.
  4. Enter the maximum number of concurrent Tanium CloudTanium Server-to-endpoint connections, and then click Save. For a new Tanium Cloud instance Tanium Server installation, the default maximum is 0 (no limit) for all data, 1600 for packages, and 40 for sensors.
  5. (Zone Server only) For each Zone Server that requires global throttles that differ from those you configured for the Tanium Server, create a JSON file named server-throttles.json. The file must be in the Zone Server installation folder. (Contact Tanium Support for the steps to move the file to the Tanium™ Appliance.) The file contents must match the following format, including the comma after each value except the last one. The bandwidth and connection limit values are always numbers (not enclosed in quotation marks) and the bandwidth units are bytes per second. To convert from megabits per second (Mbps), multiply Mbps values by 1,000,000 and divide by 8. For example, the value to enter for 900 Mbps is 112500000.

    { "data": [{
       "bandwidth_bytes_limit" : <maximum bandwidth for all data>,
       "connection_limit" : <maximum number of concurrent connections for all data>,
       "download_bandwidth_bytes_limit" : <maximum bandwidth for packages>,
       "download_connection_limit" : <maximum number of concurrent connections for packages>,
       "sensor_bandwidth_bytes_limit" : <maximum bandwidth for sensors>,
       "sensor_connection_limit" : <maximum number of concurrent connections for sensors>
    }]}

    ClosedView example

    When this file is present, the Zone Server does not inherit any global or site throttle settings from the Tanium Server. Any settings that you omit from the file have a default value of 0 (no limit). You do not have to restart the Zone Server service to apply your changes after you add, edit, or delete the file.

Configure site throttles

Configure Site throttles for the data that Tanium Cloud the Tanium Server or Zone Server sends to specific Tanium Client subnets. By default, site throttles apply to both Tanium Servers and Zone Servers, but you can configure Zone Server-specific throttles if necessary. Site throttles cannot exceed global throttles.

Base throttles on local or NAT-translated IP addresses

When defining sites for bandwidth throttling, you can specify local or NAT-translated IP addresses, but not both. By default, Tanium Cloud treatsTanium Servers and Zone Servers treat the IP addresses as NAT-translated. If you need to change this setting:

  1. From the Main menu, go to Administration > Configuration > Settings > Advanced Settings.
  2. In the Name column, click site_throttles_use_local_ip.
  3. Set the Value to 0 (NAT IP addresses) or 1 (local IP addresses) and then click Save.

Add sites

Add a site for each group of Tanium Client subnets that require the same bandwidth throttles for data received from Tanium Cloud the Tanium Server.

For subnets that receive data from Zone Servers, you configure the sites when you Add site throttles.

  1. From the Main menu, go to Administration > Configuration > Bandwidth Throttles.
  2. In the Site Throttles section, click Add Site.
  3. Enter a Site Name to identify the site.
  4. Enter one or more Subnets in CIDR format (such as 192.168.2.0/24 or 2001:db8::/32). Enter one subnet per line.
  5. Select whether to apply throttles for the site to the Total bandwidth shared across all subnets in bundle or to the Individual bandwidth of each subnet in bundle.
  6. Click Save. The Tanium Console then displays each subnet that you added to the site.

Add site throttles

Configure site-specific bandwidth throttles that apply to all data combined (packages, sensors, and all other types), just package files, or just sensors.

  1. From the Main menu, go to Administration > Configuration > Bandwidth Throttles.
  2. Scroll to the Site Throttles section, which has a <site_name> subsection for each site that you added.
  3. For each data type that you want to throttle, click Add in the <site_name> subsection.
  4. Enter the maximum bandwidth in Mbps, enter the maximum number of concurrent Tanium Cloudserver-to-endpoint connections, and click Save. For both settings, the default 0 specifies no limit.
  5. (Zone Server only) For each Zone Server that requires site throttles that differ from those you configured for the Tanium Server, create a JSON file named site-throttles.json. The file must be in the Zone Server installation folder. (Contact Tanium Support for the steps to move the file to the Tanium Appliance.) The file contents must match the following format, including commas. The bandwidth and connection limit values are always numbers (not enclosed in quotation marks) and the bandwidth units are bytes per second. To convert from megabits per second (Mbps), multiply Mbps values by 1,000,000 and divide by 8. For example, the value to enter for 900 Mbps is 112500000. This example specifies two sites: one with three subnets and one with two subnets. The all_subnets_flag controls whether the throttles apply individually to each subnet (0) or apply to the total bandwidth that is shared across all the subnets (1).

    { "data": [
       {
          "all_subnets_flag" : [0 | 1],
          "bandwidth_bytes_limit" : <maximum bandwidth for all data>,
          "connection_limit" : <maximum number of concurrent connections for all data>,
          "download_bandwidth_bytes_limit" : <maximum bandwidth for packages>,
          "download_connection_limit" : <maximum number of concurrent connections for packages>,
          "sensor_bandwidth_bytes_limit" : <maximum bandwidth for sensors>,
          "sensor_connection_limit" : <maximum number of concurrent connections for sensors>,
          "subnets" : [
             {
               "range" : "<subnet CIDR>"
             },
             {
               "range" : "<subnet CIDR>"
             },
             {
               "range" : "<subnet CIDR>"
             }
          ]
       },
       {
          "all_subnets_flag" : [0 | 1],
          "bandwidth_bytes_limit" : <maximum bandwidth for all data>,
          "connection_limit" : <maximum number of concurrent connections for all data>,
          "download_bandwidth_bytes_limit" : <maximum bandwidth for packages>,
          "download_connection_limit" : <maximum number of concurrent connections for packages>,
          "sensor_bandwidth_bytes_limit" : <maximum bandwidth for sensors>,
          "sensor_connection_limit" : <maximum number of concurrent connections for sensors>,
          "subnets" : [
             {
               "range" : "<subnet CIDR>"
             },
             {
               "range" : "<subnet CIDR>"
             }
          ]
       }
    ]}

    ClosedView example

    When this file is present, the Zone Server does not inherit any global or site throttle settings from the Tanium Server. Any settings that you omit from the file have a default value of 0 (no limit). You do not have to restart the Zone Server service to apply your changes after you add, edit, or delete the file.

Verify throttle delays

To see the current delays (Queue delay values) that Tanium Cloud the Tanium Server applies to enforce the throttles on the data it sends to endpoints:

  1. From the Main menu, go to Administration > Configuration > Bandwidth Throttles.
  2. Scroll to the type of throttles for which you want to see the delays.

For example, if you set the bandwidth limit for the Global Throttle for All Data to 400 Mbps and Tanium Cloud the Tanium Server starts sending 400 megabits of data, the Global Throttle for All Data section initially displays a Queue delay of 1,000 milliseconds (ms). After the download completes, the Queue delay drops to 0 ms until Tanium Cloud the Tanium Server sends more data.

The Tanium Console displays queue delays only for the Tanium Server. For the queue delays associated with Zone Servers, contact [email protected].

The Tanium Console uses the following icons to indicate the severity level of a Queue delay. The severity levels indicate the likelihood that the delay will prevent Tanium Cloud the Tanium Server from sending all the sensors and packages that endpoints need in time to respond to questions and perform actions.

  • No risk 0 to 9,999 ms: Little or no risk of disrupting Tanium functions.

  • 10,000 to 44,999 ms: Moderate risk of disrupting Tanium functions.

  • 45,000 ms or more: High risk of disrupting Tanium functions.