Server Monitor Account
- DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupServer Monitor Account
To configure the PAN-OS integrated User-ID agent to use Windows Management Instrumentation (WMI) for probing client systems or Windows Remote Management (WinRM) over HTTP or over HTTPS to monitor servers for user mapping information, complete the following fields.
You can also Configure Access to Monitored Servers by configuring a Kerberos server to authenticate server monitoring using Windows Remote Management (WinRM) over HTTP or over HTTPS.
Because WMI probing trusts data that is reported back from an endpoint, Palo Alto Network recommends that you do not use this method to obtain User-ID mapping information in a high-security network. If you configure the User-ID agent to obtain mapping information by parsing Active Directory (AD) security event logs or syslog messages, or using the XML API, Palo Alto Networks recommends you disable WMI probing.
If you do use WMI probing, do not enable it on external, untrusted interfaces. Doing so causes the agent to send WMI probes containing sensitive information—such as the username, domain name, and password hash of the User-ID agent service account—outside of your network. An attacker could potentially exploit this information to penetrate and gain further access to your network.
Active Directory Authentication Settings
Enter the domain credentials (
Password) for the account that the firewall will use to access Windows resources. The account requires permissions to perform WMI queries on client computers and to monitor Microsoft Exchange servers and domain controllers. Use domain\username syntax for the
User Name. If you Configure Access to Monitored Servers using Kerberos for server authentication, enter the Kerberos User Principal Name (UPN).
Domain’s DNS Name
Enter and confirm the password for the account that the firewall uses to access Windows resources.
Kerberos Server Profile
Select the Kerberos Server Profile for the Kerberos server that controls access to the Realm to retrieve security logs and session information from the monitored server with WinRM over HTTP or over HTTPS.