Focus
Focus
Table of Contents
End-of-Life (EoL)

Client Probing

  • DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupClient Probing
You can configure the User-ID agent to perform WMI client probing
for each client system that the user mapping process identifies. The User-ID agent will periodically probe each learned IP address to verify that the same user is still logged in. When the firewall encounters an IP address for which it has no user mapping, it sends the address to the User-ID agent for an immediate probe. To configure client probing settings, complete the following fields.
Do not enable client probing on high-security networks. Do not enable client probing on external untrusted interfaces. Client probing can generate a large amount of network traffic, can pose a security threat when misconfigured, and if enabled on an external untrusted zone, client probing could allow an attacker to send a probe outside of your network and result in disclosure of the User-ID agent service account name, domain name, and encrypted password hash. Instead, collect user mapping information from more isolated and trusted sources, such as domain controllers and through integrations with Syslog or the XML API, which have the added benefit of allowing you to safely capture user mapping information from any device type or operating system, instead of just Windows clients.
The complete procedure
to configure the PAN-OS integrated User-ID agent to probe clients requires additional tasks besides configuring the client probing settings.
The PAN-OS Integrated User-ID agent does not support NetBIOS probing but the Windows-based User-ID agent
does support it.
Client Probing Settings
Description
Enable Probing
Select this option to enable WMI probing.
Probe Interval (min)
Enter the probe interval in minutes (range is 1-1440; default is 20). This is the interval between when the firewall finishes processing the last request and when it starts the next request.
In large deployments, it is important to set the interval properly to allow time to probe each client that the user mapping process identified. Example, if you have 6,000 users and an interval of 10 minutes, it would require 10 WMI requests per second from each client.
If the probe request load is high, the observed delay between requests might significantly exceed the interval you specify.