Palo Alto Networks strongly recommends
disabling client probing because it is not a recommended method
of obtaining User-ID information in a high-security network.
Palo Alto Networks does not recommend using client probing due
to the following potential risks:
Because client probing trusts data reported back from
the endpoint, it can expose you to security risks when misconfigured.
If you enable it on external, untrusted interfaces, this would cause
the agent to send client probes containing sensitive information
such as the username, domain name, and password hash of the User-ID
agent service account outside of your network. If you do not configure
the service account correctly, the credentials could potentially
be exploited by an attacker to penetrate the network to gain further access.
Client probing was designed for legacy networks where most
users were on Windows workstations on the internal network, but
is not ideal for today’s more modern networks that support a roaming
and mobile user base on a variety of devices and operating systems.
Client probing can generate a large amount of network traffic
(based on the total number of mapped IP addresses).
Instead, Palo Alto Networks strongly recommends using the following
alternate methods for user mapping:
Using more isolated and trusted sources, such as domain
controllers and integrations with Syslog or the XML API, to safely capture
user mapping information from any device type or operating system.
The User-ID agent supports two types of client probing:
NetBIOS probing, which uses the Windows User-ID agent.
WMI probing, which uses either the PAN-OS integrated User-ID
agent or the Windows User-ID agent.
Client probing is
not recommended as a user mapping method, but if you plan to enable
it, Palo Alto Networks strongly recommends using WMI probing over
In a Microsoft Windows environment, you can configure the User-ID
agent to probe client systems using Windows Management Instrumentation
(WMI) or NetBIOS probing at regular intervals to verify that an
existing user mapping is still valid or to obtain the username for
an IP address that is not yet mapped.
If you do choose to enable probing in your trusted zones, the
agent will probe each learned IP address periodically (every 20
minutes by default, but this is configurable) to verify that the
same user is still logged in. In addition, when the firewall encounters
an IP address for which it has no user mapping, it will send the
address to the agent for an immediate probe.