Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

WMI polling failures

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

WMI polling failures

Not applicable

Is anyone experiencing WMI polling failures? We're using user id agent 3.1 with PAN OS 4.1.3 to support Kerberos and leverage our MS AD group based security rules in the PAN, but WMI polling has been incosistent. All appropriate permissions exist, but I've seen the user id wmi poll fail but when I run a WMI poll by hand using a Perl script we wrote it works and identifies the user appropraitely (same machine, same login, everything).


I’ve seen polling being initiated from the same system with the same account have inconsistent results: sometimes it fails with a “netbios disabled” error in the log and immediately after it works (via a manual WMI polling perl script we made). Any ideas? As mentioned, the account has necessary permissions (domain admin). I was thinking traffic levels, which would fail the manual probe too though I think, but reaching out and seeing if anyone has ever seen something similar.

4 REPLIES 4

L4 Transporter

Hello Jasbeck,


I have not seen any reports of WMI polling failures that are not related to permissions.


It is possible the WMI probes are getting blocked on the network. Have you confirmed with client packet captures that the workstation is receiving the probes from the user-id agent?


Also have you been able to test with user-id agent 4.1.x to see if issue is still present?


If so, I would recommend opening a support case to further investigate the issue.

- Stefan

Hi Stefan,

I thought permissions and network ACLs as well at first, but here's the crux: the user id agent fails the WMI poll, but I can manually run a WMI poll from command line and it polls correctly (using same computer, same account as user id service, etc...). So it's not a permissions nor a networking issue. It's intermittent as well to add to the problem.

We have not installed the new agent as we are leveraging Kerberos instead of LDAP for user to group mappings. We have plans to move to the newer agent and use LDAP instead of Kerberos, but not at this time.

Hi Jasbeck,


The next steps I would suggest would be to enable 'Verbose' logging on the agent and gather simultaneous packet captures from the client and the machine running the user-id agent.

- Stefan

I've opened a ticket but it's been in "reasearch" since 19 March. Hence my open post to here to see what other ideas folks may have.

  • 5669 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!