User-ID Agent exclusion list

L3 Networker

User-ID Agent exclusion list

Hi All

 

Is it good practice to exlude all server subnets in exclude list as I believe we are not interested in administrators to IP mapping for servers?

 

What could be the user cases for exlcude list on firewall and user-id-agent?

L7 Applicator

Re: User-ID Agent exclusion list

@faizankhurshid,

This depends on the enviroment and your security structure. Most enviroments likely aren't going to utilize user-id mapping for generating security policies for their server VLAN; others will make it so that only specific service-accounts can access certain restricted machines on the network. 

We currently restrict what different admin users can access while logged into a server; and what service-accounts actually have access to different resources depending on which one is being utilized at that time. 

L3 Networker

Re: User-ID Agent exclusion list

@BPry thanks but do you have any use case where you are using exclude list on firewall or user-id-agent? I can think of like guest user subnet that are not authenticating through DC so we can exclude that subnet on firewall. 

L7 Applicator

Re: User-ID Agent exclusion list

@faizankhurshid

Are you talking about excluded networks in the user-id agent configuration or in the zone configuration on the firewall?

L3 Networker

Re: User-ID Agent exclusion list

@vsys_remo actually I am asking about both? what is the difference between two and use case of both. Thanks for the help

L7 Applicator

Re: User-ID Agent exclusion list

The exclude lists only have an effect if you configure also an include list entry. So the exclude entries are only for exclusion of a subset of the subnets specified in the include list. Specifying only exclude entries result in an exclusion of any network.

The difference between the user-id agent and zone config is ...

L3 Networker

Re: User-ID Agent exclusion list

Thanks but do you have any use case in mind why we want to exclude certain subnets either at user-id-agent level or zone level on firewall?

L7 Applicator

Re: User-ID Agent exclusion list

@faizankhurshid,

So an example for this would be something along the ways of this. 

Say that I'm using the same IP range across multiple different zones. For example my 'WSL' zone is 10.0.0.0/8 and I use this for all internal clients, however I also have a 'DOJ' zone on this firewall that also uses the same 10.0.0.0/8 IP range. In this scenario I'm likely going to want to exclude different subnets within that range on each zone. So on the Zone's User-ID configuration I might exclude 10.191.0.0/16 on 'WSL' since that's a GUEST network, but on 'DOJ' the GUEST network might be 10.172.0.0/16.

 

Likewise you could run into a situation where I have a shared IP range across multiple different zones similar to the above example, but they all fall within the same subnet. So for example if I had settled on all server addresses always using 10.191.190.0/24 within all of the different zones, and I didn't want to enable User-ID on the servers, I might use the User-ID Agent Exclude list to exclude 10.191.190.0/24 from all user-id collections across the enviroment. 

 

Hopefully that helps a little bit. 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!