https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21486#M15690 <HTML><HEAD></HEAD><BODY><P>On the bottom of the User-ID setup screen you can enter exclude addresses that will be ignored for user-ID.</P></BODY></HTML> Mon, 03 Aug 2015 00:13:25 GMT pulukas 2015-08-03T00:13:25Z https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21485#M15689 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>Is there a way in PanOS 6.1.x to manually map&nbsp; a user-id to an ip-address.</P><P></P><P>Or is there a way to set an IP-address to be exempt from the user-id mapping policy.</P><P></P><P>I have PA-500s being staged behind a generic firewall inside a production network with a PA-3000 on the perimeter. The PA-500s NAT their external connections via the generic firewall and cannot establish connection to the PA update server without connecting a laptop behind the generic fw and authenticating via the captive portal.</P><P></P><P>Regards,</P><P>Charles</P></BODY></HTML> Sun, 02 Aug 2015 23:45:11 GMT https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21485#M15689 Charles_Cabico 2015-08-02T23:45:11Z https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21486#M15690 <HTML><HEAD></HEAD><BODY><P>On the bottom of the User-ID setup screen you can enter exclude addresses that will be ignored for user-ID.</P></BODY></HTML> Mon, 03 Aug 2015 00:13:25 GMT https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21486#M15690 pulukas 2015-08-03T00:13:25Z https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21487#M15691 <HTML><HEAD></HEAD><BODY><P>Thanks Steven. Just to confirm that if I follow this route, then I would need to explicitly define all networks to be user-id'd under the include action.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-4651">How the User-ID Agent Include/Exclude List Works </A></P></BODY></HTML> Mon, 03 Aug 2015 05:55:13 GMT https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21487#M15691 Charles_Cabico 2015-08-03T05:55:13Z https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21488#M15692 <HTML><HEAD></HEAD><BODY><P>Yes, once you setup this section it is comprehensive on both exclude and include networks.</P></BODY></HTML> Mon, 03 Aug 2015 10:51:17 GMT https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21488#M15692 pulukas 2015-08-03T10:51:17Z https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21489#M15693 <HTML><HEAD></HEAD><BODY><P>Or you can also add an exception policy for your PA500 ip address in the top of captive portal policies. Just need to configure action as "no-captive-portal" </P><P></P><P>from: PA500_IP -Trust</P><P>To: any -Untrust</P><P>Actions: no-captive-portal</P><P></P><P>you cand test the policy using the following command</P><P>test cp-policy-match from &lt;value&gt;|&lt;any&gt; to &lt;value&gt;|&lt;any&gt; source &lt;ip/netmask&gt; destination &lt;ip/netmask&gt;</P><P></P><P>Regards,</P><P>G</P></BODY></HTML> Wed, 05 Aug 2015 19:40:12 GMT https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21489#M15693 glastra1 2015-08-05T19:40:12Z https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21490#M15694 <HTML><HEAD></HEAD><BODY><P>Keep in mind that the Agents process the include / exclude networks list in a top-down fashion just like the firewalls do policy.&nbsp; What I did to keep from having to manually identify all of the networks I wanted to include, is I put all of my excludes at the top and then created 3 include entries to cover all of the RFC1918 addresses.</P></BODY></HTML> Wed, 05 Aug 2015 19:42:44 GMT https://live.paloaltonetworks.com/t5/general-topics/static-user-id-to-ip-address-mapping/m-p/21490#M15694 MRosloniec 2015-08-05T19:42:44Z