PAN AD Useragent - Excluding users?

Reply
Highlighted
L4 Transporter

PAN AD Useragent - Excluding users?

Hi.

Is it possible to exclude a specific user from the PAN agent configuration?

I know you can filter based on group - unfortunately, the user concerned, which is used for several automated processes, is also a member of AD groups which I can't exclude, so it gets reported every time it runs a background process - which is skewing reporting, as this task used reports a lot of traffic when it's not actually the user logged on the PC.

Can you tell the agent to specifically NOT report a user mapping for this user somehow?

Thanks

Tags (2)
Not applicable

Re: PAN AD Useragent - Excluding users?

Hi,

that's a nice easy one. :smileyhappy:

You can tell the User-ID Agent to ignore that particular user account. To do this, create a file called “ignore_user_list.txt” in the directory in
which the User-ID Agent was installed (typically c:\Program Files\Palo Alto Networks\PanAgent). Put in that file the name of the service account that you want the User-ID Agent to ignore.

I hope that helps,

All the best,

Will

L4 Transporter

Re: PAN AD Useragent - Excluding users?

Will.

thanks. I knew there was a way to do it, but I couldn't remember HOW - checked every option in the User agent GUI, but forgot about the text control files.

Working a treat now - appreciate your help.

Cheers.

L3 Networker

Re: PAN AD Useragent - Excluding users?

In which form does the agent estimate the items of the listfile?


Do i have to put the Active Directory Domain in front of the user?

Example:

if "win" is the name of the Active Directory Domain and "user" is the username

win\user

or

win/user

or

user

?

I guess, multiple user has to inserted in different lines?

After which time, the excluding list will fire?

L3 Networker

Re: PAN AD Useragent - Excluding users?

Hello,

You will have to put the Active Directory Domain in front of the user.  (domain/user)

L4 Transporter

Re: PAN AD Useragent - Excluding users?

mhuels wrote:

In which form does the agent estimate the items of the listfile?


Do i have to put the Active Directory Domain in front of the user?

Example:

if "win" is the name of the Active Directory Domain and "user" is the username

win\user

or

win/user

or

user

?

I guess, multiple user has to inserted in different lines?

After which time, the excluding list will fire?

Just

user

one username per line. The name of the file is "ignore_user.txt", and it needs to be put into the same directory as the "PanAgentService" executable.

Once you create this file, you must stop/start (or restart) the PanAgent service for it to take effect.

Cheers

L3 Networker

Re: PAN AD Useragent - Excluding users?

neither win/user in ignore_user_list.txt nor user in ignore_user.txt works.

Nothing to see about "ignore group or user" in the logfiles. I have the impression, the agent ignores the lists

ignore_user_list.txt

ignore_group_list.txt

allow_groups.txt

totally.

I will try to elevate the debug-level.

L4 Transporter

Re: PAN AD Useragent - Excluding users?

Hi There

The file is definitely ignore_user_list.txt

It is definitely just "user", no domain required

If it is not working, please make sure the file is in the User-ID Directory - normally in program files.  Also, make sure the service has been restarted.

Thanks

James

L3 Networker

Re: PAN AD Useragent - Excluding users?

After i put "user" in "ignore_user_list.txt", the agent gui did not show "user" anymore. But in the PA-logviewer some "user" still remains. If testing the shown source-ip in the agent gui with "Get IP Information", the gui says "_unknown_". It seems to be, the PA does not accept "_unknown_" and presents instead of this the last known username.

I hope, till next monday is time enough for the firewall to time out the old rememberings. Perhaps i have to reboot the PA firewall?

L4 Transporter

Re: PAN AD Useragent - Excluding users?

Sounds like the user is in the cache.

Try this command to clear the offending IP:


jsherlow@PA-4050> clear user-cache ip
  <ip/netmask>  <x.x.x.x/y>

Thanks

James

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!