WMI probing to Known IP addresses are not initiated by the User-ID agent or Palo Alto Networks firewall (when configured with Agentless User-ID).
Note: Agentless User-ID was introduced in PAN-OS 5.0.
The Palo Alto Networks firewall has two types of WMI probes:
Initial probes - occur during the initial pull of user-IP mappings.
Periodic probes - occur regularly from the firewall after the initial pull.
The User-ID agent pulls all the user-ip mappings when it connects to the Active Directory. After the User-ID agent retrieves all the information, the Palo Alto Networks firewall then performs an initial probe to all known and unknown IP addresses. If the initial probe doesn't receive any response from an IP, the firewall doesn't probe this address again. Also, the firewall does not add unresponsive IPs to the periodic probes list, which are sent every minute. Clients that respond to the initial probes are added to the periodic probes list and get probed regularly.
The Palo Alto Networks firewall probes the unresponsive IPs at the next initial pull of the user-IP mappings, which is typically performed at the connection of the agent or after the user-IP mappings time out.