Best Way to use User-ID Agent.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best Way to use User-ID Agent.

L2 Linker

Hey everyone,

I have been bashing my head onug how I can cleaninly use the USer-ID agent.. I wanted to stop WMI or event exclude internal vlans as I thoht it was used just for VPN. But its not its used to map source user info in the log files of the firewalls...

Thing is when I have it enabled it probes everything! Gateways, iPhones, S4's ipads, etc. If I exclude the internal VLANS or disable WMI probing it will stop the multiple DCOM errors from failed WMI probes.

My user agent version is 5.0.3-4

I was suggested from my support guy to try and change the internal VLAN range to just the DHCP pool range, but it still probes iPhones and S4 and other non windows devices and creates a DCOM 10009 on my member server.

This is driving me crazy, I still want User source info to work on the firewall logs but I want to stop the constant DCOM erros flooding my member server event log.

I don't want to manually specify each device and exclude it (way to much work) and then it won't work with mobile devices cause once the DHCP lease ends it will getis a new IP and this Idea falls apart anyway.

What can I possible do to keep Source User info in my firewall logs and not get insane amount of DCOM errors? Just to note In 4 months we got 160,000 DCOM errors in event log.

Any and all suggestions is appreciated.


L6 Presenter

Have you seen this doc yet?

User-ID Best Practices - PAN-OS 5.0, 6.0

This outlines several options for mapping users to IPs. In particular, if you have AD environment I would consider reading security logs method over WMI if you want to avoid the inherent chattiness of probing. There are other options as well such as using MS Exchange or if running 6.0.x, using syslog for ip-user mappings.


Thank you so much for your response!

I have not seen that one specifically, I did catch a different one, but I'll review the link you provided. And will post my results, or my solution to help resolve the issue.

Also, I attempted to look for the latest User-ID agent, there was no update option on the agent itself, and wasn't able to find anything in the firewall web interface. Where does one grab the latest agent? and is there something required to be configured on the PaloAlto for the latest version to work?

Thanks again!

Hello Zewwy,

Please refer the below link to upgrade the User-id agent to latest version

How to Upgrade User-ID Agent?



I was able to find where to get the latest agent, and how to update, which is nice...

But I can't for the life of me figure out how to get user to IP mappings done without WMI probing enabled.

I realized once I finished reading the Best Practices PDF that I have read that PDF before, but its all "Heres what it can do" but not "Heres how to setup each way"

I made a change to the service account that was suppose to be used to map IP to User by checking the Secuirty Log monitor and this account was missing the "Event Log Readers" membership.

I will once again disable WMI probing and will report back if mappings are still working without WMI probing (hope so) these DCOM errors are so annoying.

Thanks guy!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!