User-ID Agent Refresh Interval?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID Agent Refresh Interval?

L4 Transporter

I'm sorry if I've just not spotted it, but is there any documentation on how often the User-ID agent (for Active Directory) updates?

We've just started to implement some policies using groups and I'm not quite clear in my mind how often the PAN checks with the agent, how often the agent checks against Active Directory, and how it all combines.

Is it suggested to use a domain local or a global group?

If I add a user to a group do they have to logoff/on before their membership is picked up by the User-ID Agent?

It's just little things but it would be good to know.



L4 Transporter

Most of the timers are configured on the Agent. If you installed the PanAgent in the default directory you will find an explanation of the timers at C:\Program Files\Palo Alto Networks\PanAgent\User Identification_Agent_Help.chm. The Agent will query the AD security log every 1 second by default. The agent will cache this information for the duration of the "Age-out Timeout" which defaults to 45 minutes. Netbios/WMI probing may flush the cache in less time than the "Age-out" timer. Turning off Netbios/WMI probes will disable the "Age out" timer. If you wish to honor the "Age out" timer but turn off Netbios/WMI, you will need to edit the config file.

The PA firewall will connect to the PanAgent on the designated port once the configuration is committed or after a reboot. The Firewall will immediately request Group and User information.  When traffic flows through the firewall, the FW will make a request to the agent for an IP/User mapping. The FW will then cache this IP/User mapping for one hour. If additional packets are sent from the same user, the cache will be refreshed for another hour.

In this default example, If a user logs in at Time0, the agent sees the login and maps the IP to the user.

At T0 + 30 Minutes, the user sends data through the firewall. The firewall requests an IP to User mapping from the agent and caches 1Hr.

At T0 + 44 Minutes, the user sends more data. The firewall refreshes the cache.

At T0 + 46 Minutes, agent ages out the mapping but the FW still has the IP/User Mapping for 58 Minutes longer.

At T0 + 90 Minutes, the user sends more data. The Firewall cache is expire so it requests an IP mapping to the agent but gets "User Unknown"

This user will remain "Unknown" until he logs back into the domain.

Steve Krall


I am interested in honoring the "age out" timer and having Netbios/WMI turned off.  What lines need to be added to the config file to make that work? Thanks!


L4 Transporter

Thanks Steve.  Can you clarify/expand a little on how it deals with things like group memberships?

Specifically, say I have a rule that references "Group A" and "Joe" calls, and in order to make the rule apply I add Joe to Group A.

At what point (timing, logoffs/logons etc.) would you expect the PAN to be aware that the rule now applies to Joe?

Thanks very much.

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!