Do not enable client probing on high-security
networks or on external untrusted interfaces because it can pose
security risks if not correctly configured. If you enable client
probing on an external untrusted zone, it could allow an attacker
to send a probe outside of your network which may result in disclosure
of the User-ID agent service account name, domain name, and encrypted
Instead, Palo Alto Network strongly recommends
that you collect user mapping information from isolated and trusted
sources, such as domain controllers or integrations with Syslog or the XML API, to safely capture
user mapping information from any device type or operating system.
You can configure the PAN-OS integrated User-ID agent to perform
Windows Management Instrumentation (WMI) client probing
each client system that the user mapping process identifies. The User-ID
agent periodically probes each learned IP address to verify that
the same user is still logged in. When the firewall encounters an
IP address for which it has no user mapping, it sends the address
to the User-ID agent for an immediate probe. To configure client
probing settings, complete the following fields. The complete procedure
to configure the
PAN-OS integrated User-ID agent to probe clients requires additional
tasks besides configuring the WMI client probing settings.
Client Probing Settings
Select this option to enable WMI probing.
Probe Interval (min)
Enter the probe interval in minutes (range
is 1-1440; default is 20). This is the interval between when the
firewall finishes processing the last request and when it starts
the next request.
In large deployments, it is important to
set the interval properly to allow time to probe each client that
the user mapping process identified. Example, if you have 6,000
users and an interval of 10 minutes, it would require 10 WMI requests
per second from each client.
If the probe request load
is high, the observed delay between requests might significantly
exceed the interval you specify.