topic Re: Using User-ID v4, how do I exclude users in certain groups? in General Topics

Using User-ID v4, how do I exclude users in certain groups?

broadleyn — Tue, 09 Oct 2012 10:34:12 GMT

In the old style v3 user-ID agent, I could exclude certain groups of users from being mapped. How do I do so in v4?

Background :

We have certain users in a department group "Infosys" who are being blocked from web browsing. It turns out they're launching an MS tool under administrative credentials and user-ID is matching their IP against this new credential. The policy only allows "infosys" users from browsing, so they're blocked.

The admin credential, called "sccm" is not in the "Infosys" group - it's in the "Sysuser" group. In the Palo Alto policy User Identication/Group Mappings, we've made sure that only Infosys is listed, not Sysuser, but as the IP mapping happens at the agent, it's already too late.

So, how do we replicate the v3 agent configuration of excluding certain group's members from ever being mapped?

Thanks!

p.s. if this doesn't exist any more, we'll just downgrade the agents to the v3 client, I suppose.

Re: Using User-ID v4, how do I exclude users in certain groups?

kadak — Tue, 09 Oct 2012 15:02:51 GMT

Hello,

You can create/ modify ignore_user_list.txt file in the User-ID directory under the Palo Alto Networks Folder.

Here is the link which will guide through the process thoroughly:

https://live.paloaltonetworks.com/docs/DOC-2893

Thanks.

Re: Using User-ID v4, how do I exclude users in certain groups?

broadleyn — Wed, 10 Oct 2012 09:36:10 GMT

Very close, Kadak, thank for that - but still not quite working, sadly.

This ignore_users_list.txt does prevent the sccm user from being mapped to a given IP address, BUT the user agent now simply deletes the IP mapping instead. So I've got 192.168.1.10 mapped as neil.broadley in the User-ID agent and I can see that in the "Monitoring" tool. Then I launch my Windows system tool as the sccm user and... bam! My entry in User-ID is deleted, no mapping exists for my 192.168.1.10 (it vanishes in real time on the "Monitoring" tool) and since I'm not identified, I lose all my web browsing.

Any way to change that behaviour that you know of?

Re: Using User-ID v4, how do I exclude users in certain groups?

bvandivier — Sat, 20 Oct 2012 00:16:18 GMT

What specific version of the User-ID agent are you running? 4.1.(?).

This information will be very helpful in determining expected behavior.

thank you.

Re: Using User-ID v4, how do I exclude users in certain groups?

ExclusiveNetworksGermany — Mon, 22 Oct 2012 10:22:15 GMT

Hi,

this behavior is a known Bug in User Agent 4.1.4 & 4.1.5

Although there is no hint in the Release Notes

it seems that User Agent 4.1.6 is working again.

(as far as i can see in my own tests yet)

Regards

Marco

Re: Using User-ID v4, how do I exclude users in certain groups?

bvandivier — Thu, 29 Nov 2012 19:03:49 GMT

That is correct, there is a known issue with UID Agent 4.1.4 & 4.1.5 wherein the ignore_user_list was not properly observed.

This has been resolved with the release of UID Agent 4.1.6 and should not be an issue with UID Agent version 4.1.3 and earlier.

Re: Using User-ID v4, how do I exclude users in certain groups?

broadleyn — Thu, 06 Dec 2012 12:00:13 GMT

I've applied the 4.1.6 agent to both User-ID servers and updated the ignore_user_list.txt on each. This has resolved the problem. Not sure if this support group ignores, but user ignores will fix the present issue, so this thread is definitely closed. Thanks for your updates, everyone.