Symptoms
You see a high amount of traffic from your servers to the package repository, and if you are using remote Red Hat repositories without a proxy (NOT recommended by Red Hat), you might have gotten a "Abuse of Service detected for server X" notification.
Steps to diagnose
CFEngine does interact with the OS package manager in several ways. In particular, CFEngine needs to know which packages are 1) installed and 2) which of those installed can be updated.
To see if CFEngine is asking the package manager frequently, please check the modification time on /var/cfengine/state/software_update_timestamp_*. The last part of the file name will be named after your package manager, e.g. /var/cfengine/state/software_update_timestamp_yum.
If you see the modification time is always recent (within the last 30 minutes) on many of your servers, CFEngine is likely asking the repository too frequently, so please go to the next section to improve this.
Resolution
There have been several fixes for this in 3.6.2 and 3.6.3 (to be released), but in general you should first try to upgrade to the latest release to see if this fixes your issue. If you can not upgrade or this did not fix the issue, please see the steps below.
Disable software inventory discovery
CFEngine Enterprise discovers the software installed and available out-of-the-box so that it can be used for reporting and alerting. To disable this auto-discovery, you can open masterfiles/def.cf and change
"disable_inventory_package_refresh" expression => "!any";
to
"disable_inventory_package_refresh" expression => "any";
This will only negatively affect reporting and alerting, but not alter changes happening at the agent side.
Increase cache time after upgrading
If you have upgraded CFEngine from a previous version using the provided CFEngine upgrade mechanism, the upgrade policy may be refreshing the package list to see if you are on the latest CFEngine version.
To increase this cache time, please open masterfiles/update/update_bins.cf and change
"list_update_ifelapsed_now" string => "0";
to
"list_update_ifelapsed_now" string => "10080";
This should not have any negative side-effects and will be part of 3.6.3 and onwards.