To configure the PAN-OS integrated User-ID agent to use Windows Management Instrumentation (WMI) for
probing client systems or Windows Remote Management (WinRM) over
HTTP or over HTTPS to monitor servers for user mapping information,
complete the following fields.
Because WMI probing trusts data that is
reported back from an endpoint, Palo Alto Network recommends that
you do not use this method to obtain User-ID mapping information
in a high-security network. If you configure the User-ID agent to
obtain mapping information by parsing Active Directory (AD) security
event logs or syslog messages, or using the XML API, Palo Alto Networks
recommends you disable WMI probing.
If you do use WMI probing,
do not enable it on external, untrusted interfaces. Doing so causes
the agent to send WMI probes containing sensitive information—such
as the username, domain name, and password hash of the User-ID agent
service account—outside of your network. An attacker could potentially
exploit this information to penetrate and gain further access to
Active Directory Authentication Settings
Enter the domain credentials (
for the account that the firewall will use to access Windows resources.
The account requires permissions to perform WMI queries on client
computers and to monitor Microsoft Exchange servers and domain controllers.
Use domain\username syntax for the
Enter the DNS name of the monitored server.
If you Configure Access to Monitored Servers using Kerberos
for server authentication, enter the Kerberos Realm domain. You
must configure this setting if you are using
Enter and confirm the password for the account
that the firewall uses to access Windows resources.
Kerberos Server Profile
Select the Kerberos Server Profile for the
Kerberos server that controls access to the Realm to retrieve security
logs and session information from the monitored server with WinRM
over HTTP or over HTTPS.
The complete procedure to
configure the PAN-OS integrated User-ID agent to monitor servers
and probe clients requires additional tasks besides defining the
Active Directory authentication settings.