Problem with PANOS UserID Agent and client probing using WMI.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Problem with PANOS UserID Agent and client probing using WMI.

L1 Bithead

I am having some difficulty configuring our PAN environment to take advantage of the User-ID feature.

The current configuration is as follows:

  • "Enable User Identification" has been selected on all zones where user identification is required
  • A PAN200 device is configured as a User-ID Agent and redistribution point (only the Mgt interface is being used on this device)
  • The receiving firewalls have been configured with the details of the PAN200 UID Agent

I can manually update the PAN200 with user / IP data using the vb scripts provided by PAN (nickp) and via the RESTful API and the data is distributed to the receiving firewalls. However, I would like to use the WMI client probing feature and was under the impression that if the receiving firewall doesn't have a mapping for a given IP address it would request the UID Agent to collect it on it's behalf. This doesn't seem to work. I have entered appropriate credentials within the WMI configuration page on the PAN200 and have enabled 'Client Probing'. I have run the command "wmic /node:remotecomputer computersystem get username" from my desktop with the credentials entered in the WMI section for a given remotecomputer and I get a result so I am confident the user permissions are correct.

Where have I gone wrong? What changes are necessary? Which logs should I investigate?

Any assistance would be welcome.

6 REPLIES 6

L6 Presenter

How did you test wmi is not working ? what timeout values are you using for wmi and user identification ?

Dont forget that PaloAlto will send a probe to each learned IP address in its list to verify that the same user is still logged in when you use wmi.

So, the probe interval is 20 mins and the user identification timeout value is 45 mins for WMI settings under the User Mapping. To give you an idea of the size of the environment, there are around 2500 Windows clients.

I know WMI is not working as the PAN200 device is not updating it's mapping information i.e. it shows only the mapping information for the user / IP address mapping I sent to it via the RESTful api:

https://pan200ipaddress/api/?type=user-id&vsys=vsys1&cmd=<uid-message><version>1.0</version><type>update</type><payload><login><entry name="lab\test1" ip="192.168.1.1"/></login></payload></uid-message>

It seems to me that either the receiving firewalls are not 'asking' the PAN200 to carry out the WMI probe or the PAN200 is unable to for whatever reason. The PAN200 is configured on the internal client network so there isn't an issue with network filtering. I should also state that the PAN200 is only linked to the network using it's mgt interface - there are no other connections.

what do you see output

debug user-id dump probing-stats

So, on the PAN200 (UID Agent) the result is:

PAN wmi.jpgI

this is not normal.Wmi is not working.you have to see last and next values

change timeouts to 60/10 and look that stat again.

you have to open a case if not change.

also check

Thanks for your assistance Panos. The issue is now solved.

It seems that if you enable WMI client probing on the policy enforcement firewalls (i.e. not the PAN200 which is being used as a UID agent) the probes do in fact take place. So it stands to reason that PANOS UID Agent does not carry out a WMI probe on behave of the policy enforcement firewalls. This behaviour is not very well documented.

  • 5506 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!