topic User-ID ignored user list not being respected in General Topics https://live.paloaltonetworks.com/t5/general-topics/user-id-ignored-user-list-not-being-respected/m-p/429269#M94852 <P>Hello,</P><P>We leverage a deployment software at our organization and when a computer is having software deployed or is being scanned for inventory by this software a service account does a network logon to create a temp service to run the process. This process generates a logon event on our domain controllers and maps the IP of the device being scanned/deployed to the the service account on the firewall. This has created some issues with security policies on our firewall as we leverage user-id for most policies. The fix for this seems to be to add the service account to the ignore user list in the user-id configuration and we have successfully done this config on one HA pair of firewalls, however we went to do the same on another pair of firewalls and I continue to see sessions established with the service account as the source user. I have the account added to the list in the same format it is displayed on the traffic logs "domain\user", this is also how we have it successfully setup on the other pair of firewalls. Any ideas on what may be causing the service account to continue to show up on this pair of firewalls?</P> Wed, 25 Aug 2021 20:13:17 GMT sellington 2021-08-25T20:13:17Z User-ID ignored user list not being respected https://live.paloaltonetworks.com/t5/general-topics/user-id-ignored-user-list-not-being-respected/m-p/429269#M94852 <P>Hello,</P><P>We leverage a deployment software at our organization and when a computer is having software deployed or is being scanned for inventory by this software a service account does a network logon to create a temp service to run the process. This process generates a logon event on our domain controllers and maps the IP of the device being scanned/deployed to the the service account on the firewall. This has created some issues with security policies on our firewall as we leverage user-id for most policies. The fix for this seems to be to add the service account to the ignore user list in the user-id configuration and we have successfully done this config on one HA pair of firewalls, however we went to do the same on another pair of firewalls and I continue to see sessions established with the service account as the source user. I have the account added to the list in the same format it is displayed on the traffic logs "domain\user", this is also how we have it successfully setup on the other pair of firewalls. Any ideas on what may be causing the service account to continue to show up on this pair of firewalls?</P> Wed, 25 Aug 2021 20:13:17 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-ignored-user-list-not-being-respected/m-p/429269#M94852 sellington 2021-08-25T20:13:17Z Re: User-ID ignored user list not being respected https://live.paloaltonetworks.com/t5/general-topics/user-id-ignored-user-list-not-being-respected/m-p/429564#M94919 <P>Looks like I am no longer seeing new sessions initiated with that source user. I am guessing what I was observing was user-id mappings made before I excluded the service account that had not timed out yet.</P> Thu, 26 Aug 2021 22:19:19 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-ignored-user-list-not-being-respected/m-p/429564#M94919 sellington 2021-08-26T22:19:19Z