- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-19-2012 10:59 AM
Is anyone experiencing WMI polling failures? We're using user id agent 3.1 with PAN OS 4.1.3 to support Kerberos and leverage our MS AD group based security rules in the PAN, but WMI polling has been incosistent. All appropriate permissions exist, but I've seen the user id wmi poll fail but when I run a WMI poll by hand using a Perl script we wrote it works and identifies the user appropraitely (same machine, same login, everything).
I’ve seen polling being initiated from the same system with the same account have inconsistent results: sometimes it fails with a “netbios disabled” error in the log and immediately after it works (via a manual WMI polling perl script we made). Any ideas? As mentioned, the account has necessary permissions (domain admin). I was thinking traffic levels, which would fail the manual probe too though I think, but reaching out and seeing if anyone has ever seen something similar.
03-22-2012 02:33 PM
Hello Jasbeck,
I have not seen any reports of WMI polling failures that are not related to permissions.
It is possible the WMI probes are getting blocked on the network. Have you confirmed with client packet captures that the workstation is receiving the probes from the user-id agent?
Also have you been able to test with user-id agent 4.1.x to see if issue is still present?
If so, I would recommend opening a support case to further investigate the issue.
- Stefan
03-22-2012 03:01 PM
Hi Stefan,
I thought permissions and network ACLs as well at first, but here's the crux: the user id agent fails the WMI poll, but I can manually run a WMI poll from command line and it polls correctly (using same computer, same account as user id service, etc...). So it's not a permissions nor a networking issue. It's intermittent as well to add to the problem.
We have not installed the new agent as we are leveraging Kerberos instead of LDAP for user to group mappings. We have plans to move to the newer agent and use LDAP instead of Kerberos, but not at this time.
03-22-2012 10:23 PM
Hi Jasbeck,
The next steps I would suggest would be to enable 'Verbose' logging on the agent and gather simultaneous packet captures from the client and the machine running the user-id agent.
- Stefan
03-26-2012 10:19 AM
I've opened a ticket but it's been in "reasearch" since 19 March. Hence my open post to here to see what other ideas folks may have.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!