When configuring a security policy, what is a best practice for User-ID?
When configuring a security policy, what is a best practice for User-ID?
When configuring a security policy for User-ID, a best practice is to deny WMI traffic from the User-ID agent to any external zone. WMI (Windows Management Instrumentation) probing is used to actively gather data from Windows systems to create IP-user mappings. Allowing WMI traffic to external zones can pose a security risk as it trusts the data from potentially untrusted endpoints, thereby increasing the attack surface. Hence, denying WMI traffic to any external zone helps to maintain the integrity and security of the User-ID mappings.
Only enable User-ID on trusted zones. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0
If WMI probing is used, it should not be enabled on external untrusted interfaces
D. Deny WMI traffic from the User-ID agent to any external zone1 WMI, or Windows Management Instrumentation, is a mechanism that can be used to actively probe managed Windows systems to learn IP-user mappings1. Because WMI probing trusts data reported back from the endpoint, it is not a recommended method of obtaining User-ID information in a high-security network1. On sensitive and high-security networks, WMI probing increases the overall attack surface, and administrators are recommended to disable WMI probing and instead rely upon User-ID mappings obtained from more isolated and trusted sources, such as domain controllers