https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15161#M11126 <HTML><HEAD></HEAD><BODY><P>Hi Joshua,</P><P></P><P>Could you try using individual set commands for each user you are adding to the ignore list?&nbsp; You may want to clear the ignore list prior to the test with "delete user-id-collector ignore-user".</P><P></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">set user-id-collector ignore-user "domain\test1"</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">set user-id-collector ignore-user test1</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">set user-id-collector ignore-user "domain\user"</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;"><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">set user-id-collector ignore-use</SPAN>r user</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">Thanks,</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">-- Kevin<BR /></SPAN></P></BODY></HTML> Wed, 09 Jan 2013 19:00:05 GMT kfindlen 2013-01-09T19:00:05Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15158#M11123 <HTML><HEAD></HEAD><BODY><P>I've been working on trying to configure all the firewalls with the Agentless User-ID setup but despite several attempts to enable it I cannot get it to ignore users.</P><P></P><P>I establish a session and enter config mode and type in the command <EM>set user-id-collector ignore-user [ domain\serviceaccount ]</EM> then commit the changes and despite doing so I still see all my normal user ID mappings being overwritten with domain\serviceaccount</P><P></P><P>I tried clearing the mapping cache and when the list starts repopulating I'm still seeing entries only for the domain\serviceaccount </P><P></P><P>I also tried several methods of entering the accounts such as matching case and without the domain but it still refuses to match the list, the only thing I haven't tried is entering something like <EM>cn=Service Account,cn=Users,dc=domain,dc=com</EM> but I really think at this point if nothing I've done before hasn't worked that this will not work either.</P><P></P><P>I'm not sure what I'd doing wrong and I cannot seem to find anything in the release notes or KnowledgePoint leading me to believe that there are known issues or it doesn't work so I'm open to suggestions.</P></BODY></HTML> Tue, 08 Jan 2013 18:41:47 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15158#M11123 jfarm 2013-01-08T18:41:47Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15159#M11124 <HTML><HEAD></HEAD><BODY><P>Hi Joshua, </P><P>Is it a multi vsys system by any change. </P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">If you have multiple vsys, depending on what vsys you need to add the ignore list you can use the following command</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">#Set vsys vsys1 user-id-collector ignore-user [ AD2008\test1 test1 ]</P><P></P><P>Also i have worked with a customer and it did work for me. I am not sure why it is not working for you. Try adding both user with domain and with domain.</P><P></P><P>Hopefully that helps.</P><P></P><P>Thanks</P><P>Numan</P></BODY></HTML> Tue, 08 Jan 2013 20:06:38 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15159#M11124 mbutt 2013-01-08T20:06:38Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15160#M11125 <HTML><HEAD></HEAD><BODY><P><SPAN>I have tried every combination of entering the AD account names except for something like </SPAN><A class="jive-link-email-small" href="mailto:test1@ad2008.com">test1@ad2008.com</A><SPAN> or cn=test1, dc=ad2008, dc=com or something like that.</SPAN></P><P></P><P>This particular firewall itself does not have any configured virtual systems as well so I am entering the command set user-id-collector ignore-user [ domain\test1 test1 Domain\Test1 Test1 ] to account for with and without the domain and to confirm that the system is not case sensitive as well.</P><P></P><P>I'll continue to look around and see if there is anything else I may be missing.</P></BODY></HTML> Wed, 09 Jan 2013 14:34:40 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15160#M11125 jfarm 2013-01-09T14:34:40Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15161#M11126 <HTML><HEAD></HEAD><BODY><P>Hi Joshua,</P><P></P><P>Could you try using individual set commands for each user you are adding to the ignore list?&nbsp; You may want to clear the ignore list prior to the test with "delete user-id-collector ignore-user".</P><P></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">set user-id-collector ignore-user "domain\test1"</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">set user-id-collector ignore-user test1</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">set user-id-collector ignore-user "domain\user"</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;"><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">set user-id-collector ignore-use</SPAN>r user</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">Thanks,</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">-- Kevin<BR /></SPAN></P></BODY></HTML> Wed, 09 Jan 2013 19:00:05 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15161#M11126 kfindlen 2013-01-09T19:00:05Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15162#M11127 <HTML><HEAD></HEAD><BODY><P>Hi Joshua, </P><P></P><P>Another thing to make sure is that you clear the user ip mapping after you have created the ignore user list entry.</P><P>I see above you did clear it but was it before committing the changes or after.</P><P></P><P>Thank you</P><P>Numan</P></BODY></HTML> Wed, 09 Jan 2013 19:13:42 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15162#M11127 mbutt 2013-01-09T19:13:42Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15163#M11128 <HTML><HEAD></HEAD><BODY><P>Here are the steps I have been following</P><P></P><P>1. log into CLI session and add all the entries to the ignore list</P><P>2. verify the entries via the Web UI are showing up properly in the candidate config context view</P><P>3. Stop the User-ID agent running on the local file print server.</P><P>3. From the CLI run the commit command.</P><P>4. Wait for confirmation the config has applied</P><P>5. Issue from the CLI clear user-cache all</P><P>6. After that I issue from the CLI show user ip-user-mapping all | match utilityaccount which shows entries for all the local IP addresses that should be identified by local users.</P><P></P><P>So I disable the agentless config and re-enable the Application based User-ID agent to make sure the user entries are not overwritten with the service account.</P></BODY></HTML> Wed, 09 Jan 2013 20:52:41 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15163#M11128 jfarm 2013-01-09T20:52:41Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15164#M11129 <HTML><HEAD></HEAD><BODY><P>On another one of our firewalls we had multiple vsys objects defined but went back to just one, I tried the above steps and this firewall doesn't observe the ignore list either so knowing this FW did have a second vsys at one point I tried the command like so:</P><P>fwadmin@PA-4050# set vsys vsys1 user-id-collector ignore-user</P><P></P><P>Invalid syntax.</P><P></P><P>It doesn't appear to like the command when entered with the "vsys vsys1" part.</P></BODY></HTML> Fri, 18 Jan 2013 14:34:53 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id-not-processing-ingore-user-list/m-p/15164#M11129 jfarm 2013-01-18T14:34:53Z