https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-question/m-p/101423#M44508 <P>Thanks! I started to look into this a little more and found a petter article than what I was seeing previously. Our system engineer just asked why it was hitting the DCs so often since he had to allocate more resources to them; I didn't have the answer since I thought the probing setting was when it was going out to the server and requesting the user-id information, not every 2 seconds.&nbsp;</P> Mon, 08 Aug 2016 19:59:05 GMT BPry 2016-08-08T19:59:05Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-question/m-p/101230#M44436 <P>So I've been under the impression that our PA-3020s contact the ADDC servers to authenticate users every 20 minutes when it's setup to do a probe; then caches this information locally so that it isn't constantly hammering the servers with WMI requests. I've been told that this isn't the case and that they are hitting the server every few seconds. Is there somewhere were I can tell the 3020s to simply look at the cached information unless it identifies a user not in the cache, or the 20 minute window is hit and it needs to go and check for new users/groups?&nbsp;</P><P>I've included a screenshot of both the User Idnetification field, everything under the actual LDAP server settings are set as follows; Bind Timeout=30 / Search Timeout= 10 / Retry Interval= 60.</P><P>Is this something that can actually be modified to use the cache or will it by default do a WMI query every time?&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.PNG" style="width: 749px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/5079i9330486768B24528/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.PNG" alt="Capture.PNG" /></span></P> Thu, 04 Aug 2016 15:20:58 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-question/m-p/101230#M44436 BPry 2016-08-04T15:20:58Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-question/m-p/101421#M44506 <P>WMI probing is for the end clients not the domain controllers.</P><P>&nbsp;</P><P>As indicated by your screen shot the firewall probes the DCs every 2 seconds for any new event IDs the firewall will then only keep the 4 that it needs for the passive IP to user ID attribution.</P><P>&nbsp;</P><P>What are you trying to limit? &nbsp;Are you DCs being overworked? &nbsp;The highest you'd probably want to extend that query time out to would probably be 15 seconds. &nbsp;Though 15 seconds might be too long and if your user was quick enough you might have a user that tries to access the Internet or whatever you're mandating user attribution for, before that 15 second timer.</P> Mon, 08 Aug 2016 17:38:54 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-question/m-p/101421#M44506 Brandon_Wertz 2016-08-08T17:38:54Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-question/m-p/101423#M44508 <P>Thanks! I started to look into this a little more and found a petter article than what I was seeing previously. Our system engineer just asked why it was hitting the DCs so often since he had to allocate more resources to them; I didn't have the answer since I thought the probing setting was when it was going out to the server and requesting the user-id information, not every 2 seconds.&nbsp;</P> Mon, 08 Aug 2016 19:59:05 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-question/m-p/101423#M44508 BPry 2016-08-08T19:59:05Z