Workflow of Peer-to-Peer options to reduce bandwidth in ePolicy Orchestrator - SaaS environment
Technical Articles ID:
KB96455
Last Modified: 2023-05-05 06:05:43 Etc/GMT
Last Modified: 2023-05-05 06:05:43 Etc/GMT
Environment
ePolicy Orchestrator (ePO) - SaaS
Trellix Agent 5.7.x
Trellix Agent 5.7.x
Summary
Overview:
The Peer-to-Peer (P2P) essentially has two components:
P2P Cache Client – This component connects to the P2P server hosted by the agent service to submit the P2P content, so that the P2P server can serve that content to other peers.
P2P Discovery – This component is responsible to initiate a P2P content discovery. The discovery messages are UDP-based.
P2P Server:
Discovery Server – This server is responsible for responding to the UDP discovery messages received from other P2P clients (via UDP). The discovery messages from the same client are also received and responded to.
Content Server – If requested content is available, this component serves the content to other P2P clients (via HTTP).
Content Management – This module keeps the P2P cache up to date with available content (add/delete/purge).
P2P Ports:
The P2P communication uses port 8082 to discover peer servers and port 8081 to serve peer agents with updates.
You can set the Agent broadcast communication port (the default port is 8082) in the ePO server setting. This port is used for the discovery (UDP) service. The P2P discovery plugin sits on top of the Discovery server. The Discovery server sends the P2P discovery messages to the P2P plugin.
You can set the Agent wake-up communication port (the default port is 8081) in the ePO server setting. This port is used for hosting the HTTP server. The P2P content server sits on top of the HTTP server. The HTTP server sends the P2P content download request to the P2P content server.
P2P is known as a Peer-to-Peer network. It's enabled by default in the Trellix Default and My Default policy. This option helps reduce the bandwidth usage of systems in the same subnet.
The P2P repository path is used to store files used by the P2P server service.
NOTE: The P2P repository stores the download data but not the communication.
By default, the disk space is set to 512 MB and it supports a maximum size of up to 5 GB.
The systems in the same subnet need to get the packages and updates through the P2P option. We recommended increasing the disk space to 5,000 MB (5 GB), so it helps store more data. The default purging interval is 30 days. For more information, see the article Downloading content updates from peer agents.
The default P2P data storage location isC:\ProgramData\McAfee\Agent\data\McAfeeP2P\Current
The image below shows the default settings of the P2P Options.
Themacmnsvc.log file records the following statements:
2022-09-14 00:50:19.953 macmnsvc(972.2272) http_server.Debug: Http server configuring
2022-09-14 00:50:19.953 macmnsvc(972.2272) p2p.Debug: Configured p2p discovery handler(1).
2022-09-14 00:50:19.953 macmnsvc(972.2272) p2p_service.Info: Reconfiguring the P2P service.
2022-09-14 00:25:37.617 macmnsvc(972.2272) p2p.Debug: udp message matched for p2p content discovery
2022-09-14 00:25:37.617 macmnsvc(972.2272) p2p.Debug: processing p2p content discovery for hash(D3084057D373218CBA6BC3E0BEA2512EDD322134).
2022-09-14 00:25:37.617 macmnsvc(972.2272) p2p.Debug: P2p content found (hash = D3084057D373218CBA6BC3E0BEA2512EDD322134).
2022-09-14 00:25:37.617 macmnsvc(972.2272) p2p.Debug: P2p content discovery(hash = D3084057D373218CBA6BC3E0BEA2512EDD322134), sent response
2022-09-14 00:25:37.774 macmnsvc(972.2272) http_server.Info: ma_http_connection_t(0000022E49DC0090) accepting tcp connection from 192.168.0.170:49544
2022-09-14 00:25:37.774 macmnsvc(972.2272) http_server.Debug: ma_http_connection_t(0000022E49DC0090) ma_http_connection_prepare_request
2022-09-14 00:25:37.774 macmnsvc(972.2272) http_server.Debug: ma_http_connection_t(0000022E49DC0090) now associated with request_handler(0000022E492BD030) for url </p2p/D3084057D373218CBA6BC3E0BEA2512EDD322134>
2022-09-14 00:25:37.774 macmnsvc(972.2272) http_server.Debug: p2p handler processing </p2p/D3084057D373218CBA6BC3E0BEA2512EDD322134> request on connection(0000022E49DC0090)
2022-09-14 00:25:37.774 macmnsvc(972.2272) http_server.Debug: P2P Content serving on connection(0000022E49DC0090) complete...
2022-09-14 00:25:37.774 macmnsvc(972.2272) http_server.Debug: ma_http_connection_t(0000022E49DC0090) ma_http_connection_prepare_request
2022-09-14 00:25:37.789 macmnsvc(972.2272) http_server.Debug: P2P Content serving, Notified request completion
When the data is purged in theMcAfeeP2P , you see the following entries:
2022-08-24 16:06:00.428 macmnsvc(3856.4432) p2p_service.Info: 1 content found in the request.
2022-08-24 16:06:00.428 macmnsvc(3856.4432) p2p_service.Debug: Add request(hash = 0E2483722BC9851EB004D8F35CF3E6DD64AD7567, urn = Current\ENDPCNT_1000\DAT\0000\EXP_20220729_12336_ENDP_AM_1000.zip).
2022-08-24 16:06:00.494 macmnsvc(3856.4432) p2p_service.Info: content(hash = 0E2483722BC9851EB004D8F35CF3E6DD64AD7567, size = 4144709) added to p2p repo.
2022-08-24 16:06:00.494 macmnsvc(3856.4432) p2p_service.Debug: aggregated_size = 540718565, disk_quota = 536870912, purge_size = 3847653
2022-08-24 16:06:00.741 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = 7D972352316507BD2CFE87A3B940C3BE0BCDFCC4, size = 262721)
2022-08-24 16:06:00.795 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = CCC548CFBD30EEF3AF3A5DEA7F57CC6602BABF88, size = 801365)
2022-08-24 16:06:00.995 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = 0AE2E38BD892AA66403EFC73DAD8F8E3F3D09459, size = 156720)
2022-08-24 16:06:01.272 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = ECC258C9A4E0F0140E9B72B6FC46ADD3CFAB9281, size = 113072)
2022-08-24 16:06:01.334 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = B2FAA66F5C21356C1A47216EF684450E15901AA1, size = 102546)
2022-08-24 16:06:01.397 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = 1713D7E95433500BE40E4EE5240872711F77F222, size = 417870)
2022-08-24 16:06:01.475 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = 504571836CFABD645FC3DBE9F267A3102F1EC81B, size = 439840)
2022-08-24 16:06:01.538 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = 67918AFE9CC6053E2FBBFD62E034B15BFE408A99, size = 53224)
2022-08-24 16:06:01.618 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = 793B6023E1AF3CE05F3D096822EDD5C222CCC498, size = 3871099)
2022-08-24 16:06:01.618 macmnsvc(3856.4432) p2p_service.Debug: Total purged size 6218457
NOTE: If port 8082 is disabled, the action to find the P2P Server fails between the discovery and broadcast.
TheMcscript_deploy.log contains the product deployment packages downloaded from peers rather than ePO - SaaS. From the following sample log, you can find the supportive files (Sitestat.xml, replica.log, catalog.z, pkgcatalog.z ) and other files from the repository. The product-related huge files are downloaded from the McAfeeP2P folder of the P2P server system in same subnet.
2022-09-15 01:31:32 I #1720 p2p_client Checking P2P services via discovery...
2022-09-15 01:31:32 I #1720 creposi Trying the repository dist_repo_cdn
2022-09-15 01:31:32 I #1720 curl Before Encoding URL:http://cdn-mcafee.mvision.mcafee.com:80/Software/SiteStat.xml?hash={cd794d22-34d0-11ed-3eee-a28474000100}, After Encoding URL:http://cdn-mcafee.mvision.mcafee.com:80/Software/SiteStat.xml?hash=%7Bcd794d22-34d0-11ed-3eee-a28474000100%7D
2022-09-15 01:31:32 I #1720 downloader Downloading file from http://cdn-mcafee.mvision.mcafee.com:80/Software/SiteStat.xml?hash={cd794d22-34d0-11ed-3eee-a28474000100} to C:\Windows\TEMP\4CB485E0-CC62-44CB-9EE6-B26EC43F0A8D\SiteStat.xml success.
2022-09-15 01:31:36 I #1720 curl Before Encoding URL:http://192.168.0.156:8081/p2p/D72184270D9328EA3EF972AFEFECAD6B99F9F2FB, After Encoding URL:http://192.168.0.156:8081/p2p/D72184270D9328EA3EF972AFEFECAD6B99F9F2FB
2022-09-15 01:31:36 I #1720 downloader Downloading file from http://192.168.0.156:8081/p2p/D72184270D9328EA3EF972AFEFECAD6B99F9F2FB to C:\ProgramData\McAfee\Agent\\Current\ENDP_AM_1070\Install\0000\ThreatPreventionInstall.mcs success.
2022-09-15 01:31:39 I #1720 curl Before Encoding URL:http://192.168.0.156:8081/p2p/621F54275480560041588BA2636805191180A5DA, After Encoding URL:http://192.168.0.156:8081/p2p/621F54275480560041588BA2636805191180A5DA
2022-09-15 01:31:40 I #1720 downloader Downloading file from http://192.168.0.156:8081/p2p/621F54275480560041588BA2636805191180A5DA to C:\ProgramData\McAfee\Agent\\Current\ENDP_GS_1070\Install\0000\setupCC.exe success.
2022-09-15 01:31:40 I #1720 downloader changing permission...
2022-09-15 01:31:40 X #1720 creposi Adding content to p2p repo
2022-09-15 01:31:40 X #1720 creposi Path: Current\ENDP_GS_1070\Install\0000\setupCC.exe
2022-09-15 01:31:40 X #1720 creposi remote_directory: Current\ENDP_GS_1070\Install\0000
2022-09-15 01:31:40 X #1720 creposi file_name: setupCC.exe
2022-09-15 01:31:40 I #1720 policybag Sending content "add" request
2022-09-15 01:31:40 I #1720 policybag Content "add" request succeded.
The respective product files are stored in the default location: C:\programdata\mcafee\agent\data\McAfeeP2P\Current\ENDP_AM_1070\Install\0000
Troubleshooting:
Even though P2P is enabled, the files can be downloaded from the internet.
The Peer-to-Peer (P2P) essentially has two components:
- Client
- Server
P2P Cache Client – This component connects to the P2P server hosted by the agent service to submit the P2P content, so that the P2P server can serve that content to other peers.
P2P Discovery – This component is responsible to initiate a P2P content discovery. The discovery messages are UDP-based.
P2P Server:
Discovery Server – This server is responsible for responding to the UDP discovery messages received from other P2P clients (via UDP). The discovery messages from the same client are also received and responded to.
Content Server – If requested content is available, this component serves the content to other P2P clients (via HTTP).
Content Management – This module keeps the P2P cache up to date with available content (add/delete/purge).
P2P Ports:
The P2P communication uses port 8082 to discover peer servers and port 8081 to serve peer agents with updates.
You can set the Agent broadcast communication port (the default port is 8082) in the ePO server setting. This port is used for the discovery (UDP) service. The P2P discovery plugin sits on top of the Discovery server. The Discovery server sends the P2P discovery messages to the P2P plugin.
You can set the Agent wake-up communication port (the default port is 8081) in the ePO server setting. This port is used for hosting the HTTP server. The P2P content server sits on top of the HTTP server. The HTTP server sends the P2P content download request to the P2P content server.
P2P is known as a Peer-to-Peer network. It's enabled by default in the Trellix Default and My Default policy. This option helps reduce the bandwidth usage of systems in the same subnet.
The P2P repository path is used to store files used by the P2P server service.
NOTE: The P2P repository stores the download data but not the communication.
By default, the disk space is set to 512 MB and it supports a maximum size of up to 5 GB.
The systems in the same subnet need to get the packages and updates through the P2P option. We recommended increasing the disk space to 5,000 MB (5 GB), so it helps store more data. The default purging interval is 30 days. For more information, see the article Downloading content updates from peer agents.
The default P2P data storage location is
The image below shows the default settings of the P2P Options.
The
2022-09-14 00:50:19.953 macmnsvc(972.2272) p2p.Debug: Configured p2p discovery handler(1).
2022-09-14 00:50:19.953 macmnsvc(972.2272) p2p_service.Info: Reconfiguring the P2P service.
2022-09-14 00:25:37.617 macmnsvc(972.2272) p2p.Debug: udp message matched for p2p content discovery
2022-09-14 00:25:37.617 macmnsvc(972.2272) p2p.Debug: processing p2p content discovery for hash(D3084057D373218CBA6BC3E0BEA2512EDD322134).
2022-09-14 00:25:37.617 macmnsvc(972.2272) p2p.Debug: P2p content found (hash = D3084057D373218CBA6BC3E0BEA2512EDD322134).
2022-09-14 00:25:37.617 macmnsvc(972.2272) p2p.Debug: P2p content discovery(hash = D3084057D373218CBA6BC3E0BEA2512EDD322134), sent response
2022-09-14 00:25:37.774 macmnsvc(972.2272) http_server.Info: ma_http_connection_t(0000022E49DC0090) accepting tcp connection from 192.168.0.170:49544
2022-09-14 00:25:37.774 macmnsvc(972.2272) http_server.Debug: ma_http_connection_t(0000022E49DC0090) ma_http_connection_prepare_request
2022-09-14 00:25:37.774 macmnsvc(972.2272) http_server.Debug: ma_http_connection_t(0000022E49DC0090) now associated with request_handler(0000022E492BD030) for url </p2p/D3084057D373218CBA6BC3E0BEA2512EDD322134>
2022-09-14 00:25:37.774 macmnsvc(972.2272) http_server.Debug: p2p handler processing </p2p/D3084057D373218CBA6BC3E0BEA2512EDD322134> request on connection(0000022E49DC0090)
2022-09-14 00:25:37.774 macmnsvc(972.2272) http_server.Debug: P2P Content serving on connection(0000022E49DC0090) complete...
2022-09-14 00:25:37.774 macmnsvc(972.2272) http_server.Debug: ma_http_connection_t(0000022E49DC0090) ma_http_connection_prepare_request
2022-09-14 00:25:37.789 macmnsvc(972.2272) http_server.Debug: P2P Content serving, Notified request completion
When the data is purged in the
2022-08-24 16:06:00.428 macmnsvc(3856.4432) p2p_service.Debug: Add request(hash = 0E2483722BC9851EB004D8F35CF3E6DD64AD7567, urn = Current\ENDPCNT_1000\DAT\0000\EXP_20220729_12336_ENDP_AM_1000.zip).
2022-08-24 16:06:00.494 macmnsvc(3856.4432) p2p_service.Info: content(hash = 0E2483722BC9851EB004D8F35CF3E6DD64AD7567, size = 4144709) added to p2p repo.
2022-08-24 16:06:00.494 macmnsvc(3856.4432) p2p_service.Debug: aggregated_size = 540718565, disk_quota = 536870912, purge_size = 3847653
2022-08-24 16:06:00.741 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = 7D972352316507BD2CFE87A3B940C3BE0BCDFCC4, size = 262721)
2022-08-24 16:06:00.795 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = CCC548CFBD30EEF3AF3A5DEA7F57CC6602BABF88, size = 801365)
2022-08-24 16:06:00.995 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = 0AE2E38BD892AA66403EFC73DAD8F8E3F3D09459, size = 156720)
2022-08-24 16:06:01.272 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = ECC258C9A4E0F0140E9B72B6FC46ADD3CFAB9281, size = 113072)
2022-08-24 16:06:01.334 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = B2FAA66F5C21356C1A47216EF684450E15901AA1, size = 102546)
2022-08-24 16:06:01.397 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = 1713D7E95433500BE40E4EE5240872711F77F222, size = 417870)
2022-08-24 16:06:01.475 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = 504571836CFABD645FC3DBE9F267A3102F1EC81B, size = 439840)
2022-08-24 16:06:01.538 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = 67918AFE9CC6053E2FBBFD62E034B15BFE408A99, size = 53224)
2022-08-24 16:06:01.618 macmnsvc(3856.4432) p2p_service.Debug: Purged content(hash = 793B6023E1AF3CE05F3D096822EDD5C222CCC498, size = 3871099)
2022-08-24 16:06:01.618 macmnsvc(3856.4432) p2p_service.Debug: Total purged size 6218457
NOTE: If port 8082 is disabled, the action to find the P2P Server fails between the discovery and broadcast.
The
2022-09-15 01:31:32 I #1720 creposi Trying the repository dist_repo_cdn
2022-09-15 01:31:32 I #1720 curl Before Encoding URL:http://cdn-mcafee.mvision.mcafee.com:80/Software/SiteStat.xml?hash={cd794d22-34d0-11ed-3eee-a28474000100}, After Encoding URL:http://cdn-mcafee.mvision.mcafee.com:80/Software/SiteStat.xml?hash=%7Bcd794d22-34d0-11ed-3eee-a28474000100%7D
2022-09-15 01:31:32 I #1720 downloader Downloading file from http://cdn-mcafee.mvision.mcafee.com:80/Software/SiteStat.xml?hash={cd794d22-34d0-11ed-3eee-a28474000100} to C:\Windows\TEMP\4CB485E0-CC62-44CB-9EE6-B26EC43F0A8D\SiteStat.xml success.
2022-09-15 01:31:36 I #1720 curl Before Encoding URL:http://192.168.0.156:8081/p2p/D72184270D9328EA3EF972AFEFECAD6B99F9F2FB, After Encoding URL:http://192.168.0.156:8081/p2p/D72184270D9328EA3EF972AFEFECAD6B99F9F2FB
2022-09-15 01:31:36 I #1720 downloader Downloading file from http://192.168.0.156:8081/p2p/D72184270D9328EA3EF972AFEFECAD6B99F9F2FB to C:\ProgramData\McAfee\Agent\\Current\ENDP_AM_1070\Install\0000\ThreatPreventionInstall.mcs success.
2022-09-15 01:31:39 I #1720 curl Before Encoding URL:http://192.168.0.156:8081/p2p/621F54275480560041588BA2636805191180A5DA, After Encoding URL:http://192.168.0.156:8081/p2p/621F54275480560041588BA2636805191180A5DA
2022-09-15 01:31:40 I #1720 downloader Downloading file from http://192.168.0.156:8081/p2p/621F54275480560041588BA2636805191180A5DA to C:\ProgramData\McAfee\Agent\\Current\ENDP_GS_1070\Install\0000\setupCC.exe success.
2022-09-15 01:31:40 I #1720 downloader changing permission...
2022-09-15 01:31:40 X #1720 creposi Adding content to p2p repo
2022-09-15 01:31:40 X #1720 creposi Path: Current\ENDP_GS_1070\Install\0000\setupCC.exe
2022-09-15 01:31:40 X #1720 creposi remote_directory: Current\ENDP_GS_1070\Install\0000
2022-09-15 01:31:40 X #1720 creposi file_name: setupCC.exe
2022-09-15 01:31:40 I #1720 policybag Sending content "add" request
2022-09-15 01:31:40 I #1720 policybag Content "add" request succeded.
Troubleshooting:
Even though P2P is enabled, the files can be downloaded from the internet.
- Make sure that the TA logs are available in the Debug, and the log file size is increased. For help, see Solution 1, Option 1 "Set the log level (Debug or Info) in the TA policy using the ePolicy Orchestrator (ePO) console" in the KB82170 - How to enable debug logging for Trellix Agent to troubleshoot Windows.
- Check the source IP from the
Mcscript logs and theMcAfeeP2P folder to confirm that the file isn't available in the respective point product sub-folder. - Check the
macmnsvc_systemname.log for the purged content entries. - Check the policy to make sure that the same policy is applied to the client, P2P Client and Server is enabled.
- Check whether port 8082 is enabled for the discovery.
Affected Products
Languages:
This article is available in the following languages:
