PAN AD Useragent - Excluding users?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN AD Useragent - Excluding users?

L4 Transporter

Hi.

Is it possible to exclude a specific user from the PAN agent configuration?

I know you can filter based on group - unfortunately, the user concerned, which is used for several automated processes, is also a member of AD groups which I can't exclude, so it gets reported every time it runs a background process - which is skewing reporting, as this task used reports a lot of traffic when it's not actually the user logged on the PC.

Can you tell the agent to specifically NOT report a user mapping for this user somehow?

Thanks

1 accepted solution

Accepted Solutions

Not applicable

Hi,

that's a nice easy one. Smiley Happy

You can tell the User-ID Agent to ignore that particular user account. To do this, create a file called “ignore_user_list.txt” in the directory in
which the User-ID Agent was installed (typically c:\Program Files\Palo Alto Networks\PanAgent). Put in that file the name of the service account that you want the User-ID Agent to ignore.

I hope that helps,

All the best,

Will

View solution in original post

29 REPLIES 29

Not applicable

Hi,

that's a nice easy one. Smiley Happy

You can tell the User-ID Agent to ignore that particular user account. To do this, create a file called “ignore_user_list.txt” in the directory in
which the User-ID Agent was installed (typically c:\Program Files\Palo Alto Networks\PanAgent). Put in that file the name of the service account that you want the User-ID Agent to ignore.

I hope that helps,

All the best,

Will

Will.

thanks. I knew there was a way to do it, but I couldn't remember HOW - checked every option in the User agent GUI, but forgot about the text control files.

Working a treat now - appreciate your help.

Cheers.

In which form does the agent estimate the items of the listfile?


Do i have to put the Active Directory Domain in front of the user?

Example:

if "win" is the name of the Active Directory Domain and "user" is the username

win\user

or

win/user

or

user

?

I guess, multiple user has to inserted in different lines?

After which time, the excluding list will fire?

Hello,

You will have to put the Active Directory Domain in front of the user.  (domain/user)

mhuels wrote:

In which form does the agent estimate the items of the listfile?


Do i have to put the Active Directory Domain in front of the user?

Example:

if "win" is the name of the Active Directory Domain and "user" is the username

win\user

or

win/user

or

user

?

I guess, multiple user has to inserted in different lines?

After which time, the excluding list will fire?

Just

user

one username per line. The name of the file is "ignore_user.txt", and it needs to be put into the same directory as the "PanAgentService" executable.

Once you create this file, you must stop/start (or restart) the PanAgent service for it to take effect.

Cheers

neither win/user in ignore_user_list.txt nor user in ignore_user.txt works.

Nothing to see about "ignore group or user" in the logfiles. I have the impression, the agent ignores the lists

ignore_user_list.txt

ignore_group_list.txt

allow_groups.txt

totally.

I will try to elevate the debug-level.

Hi There

The file is definitely ignore_user_list.txt

It is definitely just "user", no domain required

If it is not working, please make sure the file is in the User-ID Directory - normally in program files.  Also, make sure the service has been restarted.

Thanks

James

After i put "user" in "ignore_user_list.txt", the agent gui did not show "user" anymore. But in the PA-logviewer some "user" still remains. If testing the shown source-ip in the agent gui with "Get IP Information", the gui says "_unknown_". It seems to be, the PA does not accept "_unknown_" and presents instead of this the last known username.

I hope, till next monday is time enough for the firewall to time out the old rememberings. Perhaps i have to reboot the PA firewall?

Sounds like the user is in the cache.

Try this command to clear the offending IP:


jsherlow@PA-4050> clear user-cache ip
  <ip/netmask>  <x.x.x.x/y>

Thanks

James

Mmh.

mhuels@mi2-pan2(active)> show clock

Fri Dec 10 15:43:25 CET 2010

mhuels@mi2-pan2(active)> show user ip-user-mapping ip 10.24.4.25

IP address:  10.24.4.25
User:        unknown
Ident. By:   UNKNOWN
Idle Timeout: 2527s
Max. TTL:    5527s
Groups that user belong to (used in policy)

The Logviewer shows nevertheless an user. Please look at the attachement.

Hmmm, indeed I agree that is somewhat strange.

At this point, we'l probably need to jump on your box.  Please can you log a support case?

Thanks

James

jsherlow wrote:

Hi There

The file is definitely ignore_user_list.txt

It is definitely just "user", no domain required

If it is not working, please make sure the file is in the User-ID Directory - normally in program files.  Also, make sure the service has been restarted.

Thanks

James

Sorry, my bad - the stupid Win2008 server I have the agent installed on is configured with the equally stupid windows default of hiding extensions, and my brain parsed the _list bit as the extension.

Yes, I have ignore_users_list.txt, and it works fine for me.

Apologies for the misleading post.

All's well that ends well Smiley Happy

Any plans to add Active Directory support for the ignore user list?  We have more than a thousand computers working in a kiosk mode that have the "logged in acct" being ignored.  We'd love to be able to pass off that admin piece to our NA's but the agent won't parse out users in an ignore group..  We are running 3 Agents and are getting tired of adding a user and restarting services each time an acct is created.

Thanks!

  • 1 accepted solution
  • 14277 Views
  • 29 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!