Client Probing
Focus
Focus

Client Probing

Table of Contents
End-of-Life (EoL)

Client Probing

Palo Alto Networks strongly recommends disabling client probing because it is not a recommended method of obtaining User-ID information in a high-security network.
Palo Alto Networks does not recommend using client probing due to the following potential risks:
  • Because client probing trusts data reported back from the endpoint, it can expose you to security risks when misconfigured. If you enable it on external, untrusted interfaces, this would cause the agent to send client probes containing sensitive information such as the username, domain name, and password hash of the User-ID agent service account outside of your network. If you do not configure the service account correctly, the credentials could potentially be exploited by an attacker to penetrate the network to gain further access.
  • Client probing was designed for legacy networks where most users were on Windows workstations on the internal network, but is not ideal for today’s more modern networks that support a roaming and mobile user base on a variety of devices and operating systems.
  • Client probing can generate a large amount of network traffic (based on the total number of mapped IP addresses).
Instead, Palo Alto Networks strongly recommends using the following alternate methods for user mapping:
  • Using more isolated and trusted sources, such as domain controllers and integrations with Syslog or the XML API, to safely capture user mapping information from any device type or operating system.
  • Configuring Authentication Policy and Authentication Portal to ensure that you only allow access to authorized users.
The User-ID agent supports WMI probing, which uses either the PAN-OS integrated User-ID agent or the Windows User-ID agent.
In a Microsoft Windows environment, you can configure the User-ID agent to probe client systems using Windows Management Instrumentation (WMI) probing at regular intervals to verify that an existing user mapping is still valid or to obtain the username for an IP address that is not yet mapped.
If you do choose to enable probing in your trusted zones, the agent will probe each learned IP address periodically (every 20 minutes by default, but this is configurable) to verify that the same user is still logged in. In addition, when the firewall encounters an IP address for which it has no user mapping, it will send the address to the agent for an immediate probe.