https://live.paloaltonetworks.com/t5/general-topics/user-id-ignore-multiple-users-agentless-or-agent/m-p/9617#M7045 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I've got an installation with approx 70k+ users, where user-id is an important factor. I want to ignore all user with prefix adm or svc in the user name(admin and service accounts) from user-id, to avoid getting unwanted ip-user-mappings. I have the option to both use agentless and agent on windows server. There are so many admin and service accounts, that adding one by one in a txt file or in the cli on the fw simply isn't an option.</P><P></P><P>I've searched a lot for this both in articles here and the admin guides, but I can't find a good solution. Does anybody have a smart way to solve this issue? I.e. scripting or something else?</P><P></P><P>Any input would be appreciated, as this is really becoming a pain...</P><P></P><P>Regards,</P><P></P><P>Tor</P></BODY></HTML> Tue, 10 Mar 2015 13:12:46 GMT torm 2015-03-10T13:12:46Z https://live.paloaltonetworks.com/t5/general-topics/user-id-ignore-multiple-users-agentless-or-agent/m-p/9617#M7045 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I've got an installation with approx 70k+ users, where user-id is an important factor. I want to ignore all user with prefix adm or svc in the user name(admin and service accounts) from user-id, to avoid getting unwanted ip-user-mappings. I have the option to both use agentless and agent on windows server. There are so many admin and service accounts, that adding one by one in a txt file or in the cli on the fw simply isn't an option.</P><P></P><P>I've searched a lot for this both in articles here and the admin guides, but I can't find a good solution. Does anybody have a smart way to solve this issue? I.e. scripting or something else?</P><P></P><P>Any input would be appreciated, as this is really becoming a pain...</P><P></P><P>Regards,</P><P></P><P>Tor</P></BODY></HTML> Tue, 10 Mar 2015 13:12:46 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-ignore-multiple-users-agentless-or-agent/m-p/9617#M7045 torm 2015-03-10T13:12:46Z https://live.paloaltonetworks.com/t5/general-topics/user-id-ignore-multiple-users-agentless-or-agent/m-p/9618#M7046 <HTML><HEAD></HEAD><BODY><P>Hi Tor,</P><P></P><P>The LDAP search string for this is quite easy:</P><P></P><P><SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;">"(&amp;(objectCategory=person)(objectClass=user)(!cn=adm*)<SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;">(!cn=svc*)</SPAN>)"</SPAN></P><P><SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;"><BR /></SPAN></P><P><SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;">This filter can be used under User Identification -&gt; Group Mapping -&gt; Server Profile -&gt; User objects</SPAN></P><P><SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;"><BR /></SPAN></P><P><SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;">The User-ID Best Practice guide also says:</SPAN></P><P></P><P><SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;">"The Group Include List can then be used to filter which groups from the LDAP servers are displayed in the Firewall Policy Interface. This also filters which users are tracked in the firewall logs. If a user does not belong to one of these groups, the firewall will not record the users name in the various logs."</SPAN></P><P><SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/6591-102-5-22672/User-ID_Best_Practices-6.pdf" style="font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;" title="https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/6591-102-5-22672/User-ID_Best_Practices-6.pdf">https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/6591-102-5-22672/User-ID_Best_Practices-6.pdf</A></SPAN></P><P><SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;"><BR /></SPAN></P><P><SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;">Is this helpful for you?<BR /></SPAN></P><P><SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;"><BR /></SPAN></P><P><SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;">Regards,<BR /></SPAN></P><P><SPAN style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px;">- Kim<BR /></SPAN></P></BODY></HTML> Tue, 10 Mar 2015 13:25:56 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-ignore-multiple-users-agentless-or-agent/m-p/9618#M7046 Kim_Hansen 2015-03-10T13:25:56Z https://live.paloaltonetworks.com/t5/general-topics/user-id-ignore-multiple-users-agentless-or-agent/m-p/9619#M7047 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Nice to know, but it's unfortunately not what I'm looking for. This would help in narrowing down the ldap part of user-id (group-mapping), but not the IP-user-mapping part.</P><P></P><P>I need a way to filter away ip-user-mappings containing a prefix(i.e. adm or svc). Using the ignore_user_list.txt in agent or "set user-id-collector ignore-user" in agentless does not scale in a large environment.</P><P></P><P>Regards,</P><P>Tor</P></BODY></HTML> Tue, 10 Mar 2015 13:48:53 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-ignore-multiple-users-agentless-or-agent/m-p/9619#M7047 torm 2015-03-10T13:48:53Z https://live.paloaltonetworks.com/t5/general-topics/user-id-ignore-multiple-users-agentless-or-agent/m-p/9620#M7048 <HTML><HEAD></HEAD><BODY><P>you can try using a tool like powershell and save the output in a text file (be careful with that amount of users can impact the server performance)</P><P></P><P><A href="http://windowsitpro.com/systems-management/find-users-get-aduser" title="http://windowsitpro.com/systems-management/find-users-get-aduser">Find Users with Get-ADUser | Systems Management content from Windows IT Pro</A></P><P></P><P>After checking the correct name format you just rename the file 'ignore_user_list.txt' and put it in the Installation agent folder. This can be a workaround, because of your many users this could impact the User agent performance (better to run it in a dedicated server) and also I couldn't find the maximum excluded users the file can contain.</P><P>I advise you to contact your SE to create a feature request to filter out user to IP mapping based on wildcards.</P><P></P><P>Regards,</P><P>G</P></BODY></HTML> Fri, 07 Aug 2015 16:15:41 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-ignore-multiple-users-agentless-or-agent/m-p/9620#M7048 glastra1 2015-08-07T16:15:41Z