One thing that I've found (we use "kiosk" machines logged in with an AD account set to be ignored) is that if a user with a "normal" (i.e.: not ignored) AD account logs in to the computer and then logs out that "normal" account is cached in perpetuity because the "ignored" account login record ont he domain controller is ignored.
Ex.: PC Kiosk1 and AD domain account "ignored1" set to ignore (via AD group memership and adding that group in User agent as ignore group), therefore can force a captive portal authentication to ensure appropriate access of web is given to whomeever may use that PC (without logging in/out). PC support tech JDOE logs in to PC (CTL-ALT-DEL, login, etc..) does his thing and logs out. IGnored1 logs in but now all Intenet activity from that PC and the Intenet access permissions are the ones that JDOE had. The IP to user cache for KIOSK1 is not cleared out.
Maybe bad form, but I'm bumping this as I would like input from more knowledgable folks on the problem described - the permanent caching of a "good" account on computers that are kiosk mode and logged in with "ignored" accounts. See example below:
PC Kiosk1 and AD domain account "ignored1" set to ignore (via AD group memership and adding that group in User agent as ignore group), therefore can force a captive portal authentication to ensure appropriate access of web is given to whomeever may use that PC for Internet access (without logging in/out of the PC itself). PC support tech JDOE logs in to PC (CTL-ALT-DEL, login, etc..) does his thing and logs out. IGnored1 account is used to login but now all Intenet activity from that PC and the Intenet access permissions are the ones that JDOE had. The IP to user cache for KIOSK1 is not cleared out.
Any solutions to this problem?
We use a home grown app that users have to authenticate with to access the internet. There is a child process running that waits for the user to close IE. When the browser closes we send a security event with a generic "logged" user so that the PAN knows the user context has changed. We also have a Single Sign On solution that works roughly the same. you just need to find a way to send a security event to the domain controllers when the user walks away.
Sorry for the bump, but in addition to this.
Is it possible to use wildcards or regexps for ignoring users?
In our situation we have a lot of users who have a second account to do administrative tasks (runas), this second username is starting with "a_".
It would be nice if I can just add "domain\a_*" to the ignore list. (tried it, but it didn't work :smileysad:)
Is there another way, besides create a group and add all this users to this group, in my opinion this is more a workaround then a solution. Thanks in advance.
the ignore_user_list.txt file does not support the use of the domain prepend, wildcards or regex.
If you would like to see this feature added to the user identification feature please talk to your sales team so that they can file a feature request on your behalf.
the ignore_user_list.txt file requires one user name per line with no domain preprend.
How long does it take the user information to age out of the firewall itself?
I added a system account to the ignore_user_list.txt file and while the user agent is no longer visible when I retrieve the IP listing in the UIA application, when I log into the firewall and issue a show user pan-agent user-IDs match-user systemaccountname command, it still appears.
I performed this action about 14 or 15 hours ago, so I figured that it would have aged out of the firewalls by now.
Any help would be appreciated!
The default is 45 min but check config.xml under user agent directory - if its configured incorrecty it will never time out.
The agent should be restarted.
Is there a way , that we can use *\username in the security policy in palo alto.
we could see traffic from different domain for the same user ID . so if we can use *\username it can eliminate this problem.
Not sure if Palo alto allow adding this format to the security policy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!