You can configure the User-ID agent to perform WMI client probing
each client system that the user mapping process identifies. The
User-ID agent will periodically probe each learned IP address to
verify that the same user is still logged in. When the firewall
encounters an IP address for which it has no user mapping, it sends the
address to the User-ID agent for an immediate probe. To configure
client probing settings, complete the following fields.
Do not enable client probing on high-security
networks. Do not enable client probing on external untrusted interfaces.
Client probing can generate a large amount of network traffic, can
pose a security threat when misconfigured, and if enabled on an
external untrusted zone, client probing could allow an attacker
to send a probe outside of your network and result in disclosure
of the User-ID agent service account name, domain name, and encrypted
password hash. Instead, collect user mapping information from more
isolated and trusted sources, such as domain controllers and through
integrations with Syslog or the XML API, which have the added benefit
of allowing you to safely capture user mapping information from
any device type or operating system, instead of just Windows clients.
The complete procedure
to configure the
PAN-OS integrated User-ID agent to probe clients requires additional
tasks besides configuring the client probing settings.
Enter the probe interval in minutes (range
is 1-1440; default is 20). This is the interval between when the
firewall finishes processing the last request and when it starts
the next request.
In large deployments, it is important to
set the interval properly to allow time to probe each client that
the user mapping process identified. Example, if you have 6,000
users and an interval of 10 minutes, it would require 10 WMI requests
per second from each client.
If the probe request load
is high, the observed delay between requests might significantly
exceed the interval you specify.