The UserID agent makes periodical queries to the database to search for user logon/logoff events. The search is performed only on the records obtained through UserID sources, i.e. other records (obtained through WMI sensors, endpoint devices, or log collectors) are ignored. Based on the obtained data, it searches for the user in the user catalogs of the log source. If the user is found, the user authorization data is sent to all NGFW devices specified in the source redistribution profile. Thus, the user is authorized on all the specified devices. It is similar in case of the user logout (except for Microsoft Active Directory, where user logout data is not processed at the moment). The information about logon/logoff/error is stored in the UserID log.
How it works
Note Events received from sources are displayed in the UserID logs on the Logs and reports.