PA-5050, Agent-less user-id to AD, exclusions not working?

Reply
Highlighted
L1 Bithead

PA-5050, Agent-less user-id to AD, exclusions not working?

Working on setting up a 5050 with user-id mapping against 2 domain controllers.  the agent-less, WMI based setup is working fine thus far, except I cant figure out how to exclude certain IP ranges.

For instance.  We have a VPN appliance that does Kerberos authentication to the AD Domain.  Everytime a user logs in, it associates the IP of the device requesting authentication as a user-id map.  Id like to just exclude that device from ever being learned.  Along with the domain controllers and some other servers themselves.

I have tried a few different include/excludes on all the zones with UID turned on, but it doesnt seem to stop those IPs from being learned.

PanOS 5.0.2


Accepted Solutions
Highlighted
L1 Bithead

Re: PA-5050, Agent-less user-id to AD, exclusions not working?

Its working.  The addresses were coming back after I cleared the cache.  I just had to wait it out.  Just impatient.  Sorry for the bum question!

View solution in original post


All Replies
Highlighted
L5 Sessionator

Re: PA-5050, Agent-less user-id to AD, exclusions not working?

You can use the Include/Exclude Networks section to ignore mapping for certain networks:

ignore.JPG

Highlighted
L1 Bithead

Re: PA-5050, Agent-less user-id to AD, exclusions not working?

I tried that.  But that makes it so the mapping isnt learned from the AD servers themselves.

Example.  AD Servers at 10.0.0.1/16 and 10.0.0.2/16.  I dont want to learn who is logged onto the AD servers, or any other server in the 10.0.0.0/16 subnet.  Only clients in another subnet.  I put exclude 10.0.0.0/16 in that list and then NOTHING gets learned except the IPs from RADIUS accounting.  Just seems like it is malfunctioning somehow.

EDIT:  IIRC, that made it so it wouldnt discover the AD servers themselves.  Because the servers in the box above disappeared shortly afterwards.

EDIT2:  To clarify.  If I have 10.0.0.0/16 and AD servers 10.0.0.1/10.0.0.2 and other misc servers or appliances at 10.0.0.20-25.  I do not want a username to ever be associated with IPs 10.0.0.1, 10.0.0.2, 10.0.0.20-25.

Highlighted
L4 Transporter

Re: PA-5050, Agent-less user-id to AD, exclusions not working?

Highlighted
L1 Bithead

Re: PA-5050, Agent-less user-id to AD, exclusions not working?

Looking to ignore IPs, not users.  Certain IPs I dont want to ever be associated with a user.

L4 Transporter

Re: PA-5050, Agent-less user-id to AD, exclusions not working?

almost the same syntax

set user-id-collector include-exclude-network

Highlighted
L1 Bithead

Re: PA-5050, Agent-less user-id to AD, exclusions not working?

I just did it.  The same thing happened.  All the IPs learned from the AD servers in the excluded range went away.  Im not completely clear on what enabled and discovery are for.  They seem to have differing functions.

Highlighted
L5 Sessionator

Re: PA-5050, Agent-less user-id to AD, exclusions not working?

If you have 10.0.0.0/16 as part of the exclude network, any ip in this range will not have an associated ip-user mapping. Anything not part of this, say 192.168.0.0/16 that are learned from your server should have a mapping.

Discovery - is to define the include or exclude list

Enable option lets you enable the above option (include/exclude). If you do not have this checked, the include/exclude list will not take effect.

Highlighted
L1 Bithead

Re: PA-5050, Agent-less user-id to AD, exclusions not working?

Im going to leave it overnight.  I think, maybe, Im just impatient... LOL. 

That, and I had to put a final allow line at the bottom...

Highlighted
L4 Transporter

Re: PA-5050, Agent-less user-id to AD, exclusions not working?

Have you tried adding the single IP addresses with /32 subnet? So...

10.0.0.1/32

10.0.0.2/32

10.0.0.20/32

10.0.0.21/32

10.0.0.22/32

10.0.0.23/32

10.0.0.24/32

10.0.0.25/32

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!