User ID Probing

Do not enable client probing on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured. Because WMI probing trusts data reported back from the endpoint, it is not a recommended method of obtaining User-ID information in a high-security network. If you are using the User- ID agent to parse AD security event logs, syslog messages, or the XML API to obtain User- ID mappings, Palo Alto Networks recommends disabling WMI probing. If you do choose to use WMI probing, do not enable it on external, untrusted interfaces, as this would cause the agent to send WMI probes containing sensitive information such as the username, domain name, and password hash of the User-ID agent service account outside of your network. This information could potentially be exploited by an attacker to penetrate the network to gain further access.

For additional resources regarding BPA, visit our LIVEcommunity BPA tool page.

View videos regarding BPA Network best practice checks.

View videos regarding BPA Policies best practice checks.

View videos regarding BPA Objects best practice checks.

View videos regarding BPA Device best practice checks.

You may also view other BPA video playlist on the LIVEcommunity YouTube channel.