In a Microsoft Windows environment, you can configure
the User-ID agent to probe client systems using Windows Management
Instrumentation (WMI) and/or NetBIOS probing at regular intervals
to verify that an existing user mapping is still valid or to obtain
the username for an IP address that is not yet mapped.
NetBIOS probing is only supported on the Windows-based
User-ID agent; it is not supported on the PAN-OS integrated User-ID
Client probing was designed for legacy networks where most users
were on Windows workstations on the internal network, but is not
ideal for today’s more modern networks that support a roaming and
mobile user base on a variety of devices and operating systems.
Additionally, client probing can generate a large amount of network traffic
(based on the total number of mapped IP addresses) and can pose
a security threat when misconfigured. Therefore, client probing
is no longer a recommended method for user mapping. Instead collect
user mapping information from more isolated and trusted sources,
such as domain controllers and through integrations with Syslog or the XML API, which allow
you to safely capture user mapping information from any device type
or operating system. If you have sensitive applications that require
you to know exactly who a user is, configure Authentication Policy and Captive Portal to ensure
that you are only allowing access to authorized users.
Because client probing trusts data reported
back from the endpoint, it is not a recommended method of obtaining
User-ID information in a high-security network. If you are using
the User-ID agent to parse AD security event logs, syslog messages,
or the XML API to obtain User-ID mappings, Palo Alto Networks recommends
disabling client probing.
If you do choose to use client
probing, do not enable it on external, untrusted interfaces, as
this would cause the agent to send client probes containing sensitive information
such as the username, domain name, and password hash of the User-ID
agent service account outside of your network. This information
could potentially be exploited by an attacker to penetrate the network
to gain further access.
If you do choose to enable probing in your trusted zones, the
agent will probe each learned IP address periodically (every 20
minutes by default, but this is configurable) to verify that the
same user is still logged in. In addition, when the firewall encounters
an IP address for which it has no user mapping, it will send the
address to the agent for an immediate probe.