In a Microsoft Windows environment, you can configure
the User-ID agent to probe client systems using Windows Management
Instrumentation (WMI) and/or NetBIOS probing at regular intervals
to verify that an existing user mapping is still valid or to obtain
the username for an IP address that is not yet mapped.
NetBIOS probing is only supported on the Windows-based
User-ID agent; it is not supported on the PAN-OS integrated User-ID
Client probing was designed for legacy networks where most users
were on Windows workstations on the internal network, but is not
ideal for today’s more modern networks that support a roaming and
mobile user base on a variety of devices and operating systems.
Additionally, client probing can generate a large amount of network
traffic (based on the total number of mapped IP addresses) and can
pose a security threat when misconfigured. Therefore, client probing
is no longer a recommended method for user mapping. Instead collect
user mapping information from more isolated and trusted sources,
such as domain controllers and through integrations with Syslog or the XML API,
which allow you to safely capture user mapping information from
any device type or operating system. If you have sensitive applications
that require you to know exactly who a user is, configure Captive Portal to
ensure that you are only allowing access to authorized users.
Because WMI probing trusts data reported
back from the endpoint, it is not a recommended method of obtaining
User-ID information in a high-security network. If you are using
the User-ID agent to parse AD security event logs, syslog messages,
or the XML API to obtain User-ID mappings, Palo Alto Networks recommends
disabling WMI probing.
If you do choose to use WMI probing,
do not enable it on external, untrusted interfaces, as this would
cause the agent to send WMI probes containing sensitive information
such as the username, domain name, and password hash of the User-ID agent
service account outside of your network. This information could
potentially be exploited by an attacker to penetrate the network
to gain further access.
If you do choose to enable probing in your trusted zones, the
agent will probe each learned IP address periodically (every 20
minutes by default, but this is configurable) to verify that the
same user is still logged in. In addition, when the firewall encounters
an IP address for which it has no user mapping, it will send the
address to the agent for an immediate probe.