How the User-ID Agent Include/Exclude List Works

How the User-ID Agent Include/Exclude List Works

57730
Created On 09/25/18 19:43 PM - Last Modified 06/15/23 22:09 PM


Symptom


The article explains how to configure the include/exclude list on the user-id agent.

Environment


  • User-ID Agent
  • Include / Exclude List

Resolution


Overview

The Include/Exclude list is applied to networks and hosts identified through the User-ID Agent.  The User-ID Agent tries to identify users for the IP range designated as Include.  Likewise, the User-ID Agent does not identify users for the network address range designated as Exclude.  Note that this is different from the user and group ignore lists, and is only concerned with which networks to include or exclude for the purposes of mapping users.

 

Details

If the Include/Exclude list is empty, users on any network can be identified and mapped by the User-ID Agent.  When an entry is added to the Include list, there is an implicit deny for any other IP address.  The order of entries in the Include/Exclude list is important, as the list is processed top to bottom.

 

For example, to configure the exclusion of subnet (192.168.1.0/24) in the larger subnet (192.168.0.0/16):

  1. Add a specific subnet 192.168.1.0/24 and designate as Exclude.
  2. Add the larger, encompassing subnet 192.168.0.0/16 and designate as Include.

    Screen Shot 2013-02-13 at 3.47.38 PM.png

Note: If the rules in the above example were reversed with the Include rule on top, then the User-ID Agent would allow the mapping on 192.168.0.0/16 then disregard the Exclude rule for 192.168.1.0/24.

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbkCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language