topic Re: User-ID Agent exclusion list in General Topics

User-ID Agent exclusion list

faizankhurshid — Thu, 17 May 2018 16:17:38 GMT

Hi All

Is it good practice to exlude all server subnets in exclude list as I believe we are not interested in administrators to IP mapping for servers?

What could be the user cases for exlcude list on firewall and user-id-agent?

Re: User-ID Agent exclusion list

BPry — Thu, 17 May 2018 16:41:28 GMT

@faizankhurshid,

This depends on the enviroment and your security structure. Most enviroments likely aren't going to utilize user-id mapping for generating security policies for their server VLAN; others will make it so that only specific service-accounts can access certain restricted machines on the network.

We currently restrict what different admin users can access while logged into a server; and what service-accounts actually have access to different resources depending on which one is being utilized at that time.

Re: User-ID Agent exclusion list

faizankhurshid — Thu, 17 May 2018 18:33:08 GMT

@BPry thanks but do you have any use case where you are using exclude list on firewall or user-id-agent? I can think of like guest user subnet that are not authenticating through DC so we can exclude that subnet on firewall.

Re: User-ID Agent exclusion list

Remo — Thu, 17 May 2018 19:32:31 GMT

@faizankhurshid

Are you talking about excluded networks in the user-id agent configuration or in the zone configuration on the firewall?

Re: User-ID Agent exclusion list

faizankhurshid — Thu, 17 May 2018 20:22:29 GMT

@Remo actually I am asking about both? what is the difference between two and use case of both. Thanks for the help

Re: User-ID Agent exclusion list

Remo — Thu, 17 May 2018 23:07:35 GMT

The exclude lists only have an effect if you configure also an include list entry. So the exclude entries are only for exclusion of a subset of the subnets specified in the include list. Specifying only exclude entries result in an exclusion of any network.

The difference between the user-id agent and zone config is ...

User-ID agent configuration applies globally to the user-id configurstion and also for the redestribution feature. https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/user-identification/device-user-identification-user-mapping/include-or-exclude-subnetworks-for-user-mapping
Zone User-ID configuration applies only to that zone where you configure include/exclude entries. https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/network/network-zones/building-blocks-of-security-zones#id15b17daf-f222-447c-bfee-a0c4cb8ae9f7

Re: User-ID Agent exclusion list

faizankhurshid — Fri, 18 May 2018 00:16:25 GMT

Thanks but do you have any use case in mind why we want to exclude certain subnets either at user-id-agent level or zone level on firewall?

Re: User-ID Agent exclusion list

BPry — Fri, 18 May 2018 04:57:55 GMT

@faizankhurshid,

So an example for this would be something along the ways of this.

Say that I'm using the same IP range across multiple different zones. For example my 'WSL' zone is 10.0.0.0/8 and I use this for all internal clients, however I also have a 'DOJ' zone on this firewall that also uses the same 10.0.0.0/8 IP range. In this scenario I'm likely going to want to exclude different subnets within that range on each zone. So on the Zone's User-ID configuration I might exclude 10.191.0.0/16 on 'WSL' since that's a GUEST network, but on 'DOJ' the GUEST network might be 10.172.0.0/16.

Likewise you could run into a situation where I have a shared IP range across multiple different zones similar to the above example, but they all fall within the same subnet. So for example if I had settled on all server addresses always using 10.191.190.0/24 within all of the different zones, and I didn't want to enable User-ID on the servers, I might use the User-ID Agent Exclude list to exclude 10.191.190.0/24 from all user-id collections across the enviroment.

Hopefully that helps a little bit.