Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding the Windows Management Instrumentation Client


Windows Management Instrumentation Client

When you configure the integrated user firewall feature on an NFX Series device, the device establishes a Windows Management Instrumentation (WMI)/Distributed Component Object Module (DCOM) connection to the domain controller. The device acts as a WMI client (WMIC), and reads and monitors the security event log on the domain controller. The device analyzes the event messages to generate IP address-to-user mapping information.

All configuration regarding the WMIC is optional; it will function with default values. After the domain is configured (by using the set services user-identification active-directory-access domain statement), the WMIC starts to work. The WMIC connection to the domain controller uses the same user credentials as those configured for the domain.


Integrated user firewall uses NTLMv2 as the default WMIC authentication protocol for security reasons. NTLMv1 exposes the system to attacks in which authentication hashes could be extracted from NTLMv1 authentication responses.

For compatibility with integrated user firewall, you must apply the latest version of the Microsoft SP2 patch if you are running an older version of Windows OS, including Windows 2000, Windows XP, and Windows 2003.

When the WMIC reads the event log on the domain controller, the NFX Series device:

  • Monitors the event log at a configurable interval, which defaults to 10 seconds.

  • Reads the event log for a certain timespan, which you can configure. The default timespan is one hour. Each time at WMIC startup, the device checks the last timestamp and the timespan. If the last timestamp is older than the current timespan, then the timespan takes effect. After the WMIC and the UserID process start working, the timespan does not apply; the device simply reads the latest event log.

    The device can read the event log to obtain IPv6 addresses in addition to IPv4 addresses.

During WMIC startup, the device has a maximum count of events it will read from the event log, and that maximum is not configurable.

During WMIC startup, this maximum count is used with the timespan setting, so that if either limit is reached, the WMIC stops reading the event log.

Specifying IP Filters to Limit IP-to-User Mapping

You can specify IP filters to limit the IP address-to-user mapping information that the NFX Series device generates from the event log.

To understand when a filter is useful for such mapping, consider the following scenario. A customer deploys 10 devices in one domain, and each device controls a branch. All 10 devices read all 10 branch user login event logs in the domain controller. However, the device is configured to detect only whether the user is authenticated on the branch it controls. By configuring an IP filter on the device, the device reads only the IP event log under its control.

You can configure a filter to include or exclude IP addresses or prefixes. You can specify a maximum of 20 addresses for each filter.

Event Log Verification and Statistics

You can verify that the authentication table is getting IP address and user information by issuing the show services user-identification active-directory-access active-directory-authentication-table all command. A list of IP address-to-user mappings is displayed for each domain. The table contains no group information until LDAP is running.

You can see statistics about reading the event log by issuing the show services user-identification active-directory-access ip-user-mapping statistics domain command.