https://live.paloaltonetworks.com/t5/general-topics/ignoring-users-in-mapping/m-p/219419#M63368 <P>If the users are being learned, you have probing enabled: when an unknown IP connects to the firewall, the firewall will ask the UserID agent for information. if it does not havbe a mapping and probing is enabled, it will then probe the IP and detect the local account</P> <P>&nbsp;</P> <P>Probing has pro's and cons: it will also periodically probe existing mappings and if a user has logged out or moved to a new ip (wifi roaming), the no-longer-active session/unused ip will be cleared from mapping. This helps prevent other iusers swooping in and abusing the previous user's mappings access</P> <P>&nbsp;</P> <P>so the best option is to simply exclude the admin accounts from being registered, through the ignore_user_list.txt</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 27 Jun 2018 08:39:30 GMT reaper 2018-06-27T08:39:30Z https://live.paloaltonetworks.com/t5/general-topics/ignoring-users-in-mapping/m-p/219397#M63364 <P>Howdy,</P><P>&nbsp;</P><P>Sorry if this has been asked thousands of times, but I cannot seem to locate something quite similiar.</P><P>&nbsp;</P><P>We have noticed recently, that some users are logging in with a local computer account and then obviously being able to browse the internet falling into a catch all rule for 'Known Users' which is required.&nbsp;</P><P>&nbsp;</P><P>It was suggested, as an option that we try to not learn them as 'known Users' etc.&nbsp; However, I am not sure how we would handle that in our case.</P><P>&nbsp;</P><P>The problem is that the workstation name is not constant like if the user were coming in with their domain\username, so the users are appearing as below in the user mapping tables:</P><P>&nbsp;</P><P>User:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mn2343234\administrator<BR />User:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mn12345\administrator</P><P>User:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mn56789\administrator</P><P>etc etc</P><P>&nbsp;</P><P>So if I am reading things correctly the only way to stop this access is that we would need to somehow make that text file the agent uses on the server dynamic and populate it with computer name/username items one per line, then restart the agent to apply the settings? Is there another easier way to ignore these users?</P><P>&nbsp;</P> Wed, 27 Jun 2018 04:06:11 GMT https://live.paloaltonetworks.com/t5/general-topics/ignoring-users-in-mapping/m-p/219397#M63364 PIRSA 2018-06-27T04:06:11Z https://live.paloaltonetworks.com/t5/general-topics/ignoring-users-in-mapping/m-p/219419#M63368 <P>If the users are being learned, you have probing enabled: when an unknown IP connects to the firewall, the firewall will ask the UserID agent for information. if it does not havbe a mapping and probing is enabled, it will then probe the IP and detect the local account</P> <P>&nbsp;</P> <P>Probing has pro's and cons: it will also periodically probe existing mappings and if a user has logged out or moved to a new ip (wifi roaming), the no-longer-active session/unused ip will be cleared from mapping. This helps prevent other iusers swooping in and abusing the previous user's mappings access</P> <P>&nbsp;</P> <P>so the best option is to simply exclude the admin accounts from being registered, through the ignore_user_list.txt</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 27 Jun 2018 08:39:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ignoring-users-in-mapping/m-p/219419#M63368 reaper 2018-06-27T08:39:30Z https://live.paloaltonetworks.com/t5/general-topics/ignoring-users-in-mapping/m-p/219520#M63390 <P>Hello,</P><P>One option would be to use user-id in your allow internet browsing policy. Then anyone who is not a 'domain user' would not be able to browse the internet. In the past I used the group 'Domain User' if anything fell outside of it it would fall int oa more stringent policy.</P><P>&nbsp;</P><P>Hope it helps.</P> Wed, 27 Jun 2018 17:12:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ignoring-users-in-mapping/m-p/219520#M63390 OtakarKlier 2018-06-27T17:12:23Z