User-ID for DNS

Reply
L1 Bithead

User-ID for DNS

We have a server that has no body logged into it and all the DNS traffic from that server is showing as a certain user sending the traffic. Is there anyway to exclude this server from User-ID or another way to remove the user from this traffic?

user-id dns.png

Tags (2)

Accepted Solutions
Highlighted
L2 Linker

Re: User-ID for DNS

you can try to exclude that PC's IP under User ID Agent >>> Discovery >>> Include/Exclude Networks.

Add Exclude Specified Network >>> configure the PC IP addr with /32 mask.

Check if that works.

Regards,

Rahul Singh

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: User-ID for DNS

Hi senspersons

I guess that this is Windows server with some service running with user account. In the example it is "scott".

You can tell the User-ID Agent to ignore that particular user account. To do this, create a file called “ignore_user_list.txt” in the directory in

which the User-ID Agent was installed (typically c:\Program Files\Palo Alto Networks\PanAgent). Put in that file the name of the service account that you want the User-ID Agent to ignore.

the ignore_user_list.txt file requires one user name per line with no domain preprend.

e.g.

joesmith

janedoe

administrator

av-admin

Also, you may want to clear the user cache via the CLI.

admin@PA-2050> clear user-cache
> all   Clear all ip to user cache in data plane
> ip    Clear the specified ip to user cache in data plane

Regards

Slawek

Highlighted
L2 Linker

Re: User-ID for DNS

Kindly go through the following docs,

How to Ignore Users in User-ID Agent

https://live.paloaltonetworks.com/docs/DOC-2893

How to Add/Delete Users from Ignore User List using Agentless User-ID

https://live.paloaltonetworks.com/docs/DOC-4278

How to Clear User-to-IP Mapping for an Ignored User and Verify it is Working

https://live.paloaltonetworks.com/docs/DOC-6107

Regards,

Rahul

Highlighted
L1 Bithead

Re: User-ID for DNS

Thank you, that was exactly what I was looking for.

I ran these commands -

clear user-cache ip 10.0.36.15

clear user-cache all

clear user-cache-mp ip 10.0.36.15

clear user-cache-mp all

And when I run show user ip-user-mapping ip 10.0.36.15 it still shows the user being mapped to that system -

IP address:  10.0.36.15 (vsys1)

User:        xxxxx\xscott

From:        UIA

Idle Timeout: 1552s

Max. TTL:    1552s

Groups that the user belongs to (used in policy)

Group(s):    cn=xxxx,ou=paloalto,ou=groups,ou=xxxxxx,dc=xxxxx,dc=local

Any ideas why the user isn't being cleared from that machine?

Thanks,

Sean

Highlighted
L4 Transporter

Re: User-ID for DNS

Hi

Did You create a file called “ignore_user_list.txt” in the directory inwhich the User-ID Agent was installed with "xscott" inside?

Regards

Slawek

Highlighted
L2 Linker

Re: User-ID for DNS

Also, make sure you following command first to clear the mapping from MP,

clear user-cache-mp all


Then run,


clear user-cache all


DP learns the mapping from MP. Sometimes, if you clear DP first, and before you clear MP, it will be pushed again from MP to DP. So it is always better to clear from MP, then from DP.


Regards,

Rahul Singh

Highlighted
L1 Bithead

Re: User-ID for DNS

I have added the ignore_user_list.txt into the User-ID Agent folder and have the user both with and without the domain prepended. domain\username and username on separate lines. I also ran the clear user-cache-mp all command first then the clear user-cache all. When I run show user ip-user-mapping ip 10.0.36.15, it still shows the user. Not sure whats going on but it doesn't want to clear the user out from the machine... Any ideas on something else I can try?

Thanks,

Sean

Highlighted
L2 Linker

Re: User-ID for DNS

You need to clear the user from User-ID agent first.

User-ID Agent >>> Monitoring >>> Discovered Users,

Look for the user and delete it.

Then delete MP cache and DP cache.

Regards,

Rahul Singh

Highlighted
L1 Bithead

Re: User-ID for DNS

I just tried clearing it from the User-ID Agent and the name came back within roughly 5 seconds. At this point I'm beginning to think its a bug of some sort... Why does the computer/agent think that user is logged into the 10.0.36.15 machine when no body is?

Highlighted
L2 Linker

Re: User-ID for DNS

Can you check if WMI probing is enabled on User ID Agent? If it is enabled, disable it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!