Palo Alto – Disable Client Probing Now

Palo Alto advises against turning it on. While the documentation warns against using it on “high-security networks,” this could be better taken as a caution against using it on any network where security is an issue.

You can read Palo Alto’s article here:

From Palo Alto:
Palo Alto Networks does not recommend using client probing due to the following potential risks:
—Because client probing trusts data reported back from the endpoint, it can expose you to security risks when misconfigured. If you enable it on external, untrusted interfaces, this would cause the agent to send client probes containing sensitive information such as the username, domain name, and password hash of the User-ID agent service account outside of your network. If you do not configure the service account correctly, the credentials could potentially be exploited by an attacker to penetrate the network to gain further access.
—Client probing was designed for legacy networks where most users were on Windows workstations on the internal network, but is not ideal for today’s more modern networks that support a roaming and mobile user base on a variety of devices and operating systems.
—Client probing can generate a large amount of network traffic (based on the total number of mapped IP addresses).

WMI and/or NetBIOS are used to probe clients. NetBIOS is a multicast name resolution system that is extremely harmful on any network, and it is always recommended that it be disabled across the whole organization. When reading Palo Alto’s documentation on client probing, the dangers become even more evident.

If your network has a rogue attacking machine, this function will send the domain, username, and encrypted password hash to that rogue device every 20 minutes. This implies that if the firewall detects an unknown system on the network, it will attempt to connect to the device immediately and do so every 20 minutes by default. This is unfavorable.

My recommendation:
Disable Client Probing –  Use one of their recommended solutions, trusted domain controllers along with Syslog (if the Syslog is an option, if not, use trusted domain controllers).

Below is what Palo Alto recommends:
Instead, Palo Alto Networks strongly recommends using the following alternate methods for user mapping:
—Using more isolated and trusted sources, such as domain controllers and integrations with Syslog or the XML API, to safely capture user mapping information from any device type or operating system.
—Configuring Authentication Policy and Authentication Portal to ensure that you only allow access to authorized users.