https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/20754#M15160 <HTML><HEAD></HEAD><BODY><P>Looking over the agent documentation again, I don't see any way you can prevent this behavior in the current tools.&nbsp; The agent is directly reading the AD login information and using this to update the ip address associations.</P><P></P><P>There are some LDAP filtering ability on the firewall configuration for the purpose of browsing group names and contents.&nbsp; But there does not seem to be any similar browse on the Agent to restrict updates.</P><P></P><P>Essentially, what you need is a way to exclude a portion of the AD tree from logging ip address updates at login.</P><P></P><P>I think you need to contact your Sales team and put in a feature request for this function.</P></BODY></HTML> Sun, 02 Feb 2014 14:15:25 GMT pulukas 2014-02-02T14:15:25Z https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/20753#M15159 <HTML><HEAD></HEAD><BODY><P>Hey all -</P><P>I work for a very large global organization.&nbsp; Our design for User-ID is such that some locations can use the UID Agent, others can't - and so they use the Agentless, on-box UID.&nbsp; One issue we have is that we have thousands of what we call "common" and "job" (or, process) accounts that some people use to access remote machines from their machine, map drives to remote machines with, and run local background processes with.</P><P></P><P>The problem is that when those accounts authenticate, to AD it's a successful login from the user's computer.&nbsp; That being said, it overwrites their User-to-IP mapping in the firewall and things that they should have access to, they no longer have access to because the account that the Firewall thinks they're logged in as is blocked.&nbsp; Since the UID Agent / Agentless does not accept / process wildcards, that put us into a management nightmare scenario...From everything I can find, just about our only option is to create a seriously large list of these accounts and maintain it.&nbsp; It won't be so difficult from the UID Agent perspective because it's just a txt file with one entry per line, however, with many of our locations being Agentless, it presents one heck of a nightmare. </P><P></P><P>My question is - has anyone else come upon a similar scenario?&nbsp; And, if so, how are you handling it?</P><P></P><P>Does anyone else have any other suggestions?&nbsp; I thought that the Agent / Agentless could ignore users based on a group that I tell it to ignore but that also does not appear to be the case.. (One thought was to put all these accounts in a common group to use for this purpose).</P><P></P><P>Thanks a bunch!!</P><P></P><P>Matt</P></BODY></HTML> Thu, 30 Jan 2014 17:58:25 GMT https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/20753#M15159 MRosloniec 2014-01-30T17:58:25Z https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/20754#M15160 <HTML><HEAD></HEAD><BODY><P>Looking over the agent documentation again, I don't see any way you can prevent this behavior in the current tools.&nbsp; The agent is directly reading the AD login information and using this to update the ip address associations.</P><P></P><P>There are some LDAP filtering ability on the firewall configuration for the purpose of browsing group names and contents.&nbsp; But there does not seem to be any similar browse on the Agent to restrict updates.</P><P></P><P>Essentially, what you need is a way to exclude a portion of the AD tree from logging ip address updates at login.</P><P></P><P>I think you need to contact your Sales team and put in a feature request for this function.</P></BODY></HTML> Sun, 02 Feb 2014 14:15:25 GMT https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/20754#M15160 pulukas 2014-02-02T14:15:25Z https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/20755#M15161 <HTML><HEAD></HEAD><BODY><P>From the description, this sounds like it may be an issue with monitoring server session reads. Just so I understand the flow, is the following correct?</P><P></P><OL><LI>User is logged into their workstation, and is correctly mapped to the IP of that workstation. </LI><LI>User maps a drive to a share on a server using different credentials and the mapping is updated based on that information causing an issue with the rule set.</LI></OL><P></P><P>In the above case, you can disable server session reads to resolve the issue. Please let me know if there is more to this.</P></BODY></HTML> Mon, 03 Feb 2014 07:01:42 GMT https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/20755#M15161 cstancill 2014-02-03T07:01:42Z https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/20756#M15162 <HTML><HEAD></HEAD><BODY><P>You are correct - we have server session read enabled.&nbsp; Really I was enabling this to help provide more coverage (in case someone slipped past the AD logon) but, seeing as how it can cause this problem as I have outlined it may be best to disable it.&nbsp; Thanks for the suggestion!&nbsp; I will disable it and test it out some more.</P></BODY></HTML> Mon, 03 Feb 2014 16:53:09 GMT https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/20756#M15162 MRosloniec 2014-02-03T16:53:09Z https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/20757#M15163 <HTML><HEAD></HEAD><BODY><P>Hi Matt,</P><P></P><P>I've got a similar scenario at one of my customers. Did disabling the server session read help you, or did you come up with a different solution?</P><P></P><P>In my case, I also want to ignore events from admin and service accounts that actually creates entries in the security logs on the DC, so disabling server session read won't be a good enough solution for me.</P><P></P><P>Any input would be appreciated!</P><P></P><P>- Tor</P></BODY></HTML> Tue, 10 Mar 2015 11:56:06 GMT https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/20757#M15163 torm 2015-03-10T11:56:06Z https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/77747#M42698 <P>The 7.0.3 agent now supports wildcards in the ignore_user_list.</P> Mon, 09 May 2016 19:03:59 GMT https://live.paloaltonetworks.com/t5/general-topics/complex-user-id-scenario-ideas-solutions/m-p/77747#M42698 gwesley 2016-05-09T19:03:59Z