User-ID for DNS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID for DNS

L1 Bithead

We have a server that has no body logged into it and all the DNS traffic from that server is showing as a certain user sending the traffic. Is there anyway to exclude this server from User-ID or another way to remove the user from this traffic?

user-id dns.png

1 accepted solution

Accepted Solutions

you can try to exclude that PC's IP under User ID Agent >>> Discovery >>> Include/Exclude Networks.

Add Exclude Specified Network >>> configure the PC IP addr with /32 mask.

Check if that works.

Regards,

Rahul Singh

View solution in original post

17 REPLIES 17

L4 Transporter

Hi senspersons

I guess that this is Windows server with some service running with user account. In the example it is "scott".

You can tell the User-ID Agent to ignore that particular user account. To do this, create a file called “ignore_user_list.txt” in the directory in

which the User-ID Agent was installed (typically c:\Program Files\Palo Alto Networks\PanAgent). Put in that file the name of the service account that you want the User-ID Agent to ignore.

the ignore_user_list.txt file requires one user name per line with no domain preprend.

e.g.

joesmith

janedoe

administrator

av-admin

Also, you may want to clear the user cache via the CLI.

admin@PA-2050> clear user-cache
> all   Clear all ip to user cache in data plane
> ip    Clear the specified ip to user cache in data plane

Regards

Slawek

L2 Linker

Kindly go through the following docs,

How to Ignore Users in User-ID Agent

https://live.paloaltonetworks.com/docs/DOC-2893

How to Add/Delete Users from Ignore User List using Agentless User-ID

https://live.paloaltonetworks.com/docs/DOC-4278

How to Clear User-to-IP Mapping for an Ignored User and Verify it is Working

https://live.paloaltonetworks.com/docs/DOC-6107

Regards,

Rahul

L1 Bithead

Thank you, that was exactly what I was looking for.

I ran these commands -

clear user-cache ip 10.0.36.15

clear user-cache all

clear user-cache-mp ip 10.0.36.15

clear user-cache-mp all

And when I run show user ip-user-mapping ip 10.0.36.15 it still shows the user being mapped to that system -

IP address:  10.0.36.15 (vsys1)

User:        xxxxx\xscott

From:        UIA

Idle Timeout: 1552s

Max. TTL:    1552s

Groups that the user belongs to (used in policy)

Group(s):    cn=xxxx,ou=paloalto,ou=groups,ou=xxxxxx,dc=xxxxx,dc=local

Any ideas why the user isn't being cleared from that machine?

Thanks,

Sean

Hi

Did You create a file called “ignore_user_list.txt” in the directory inwhich the User-ID Agent was installed with "xscott" inside?

Regards

Slawek

L2 Linker

Also, make sure you following command first to clear the mapping from MP,

clear user-cache-mp all


Then run,


clear user-cache all


DP learns the mapping from MP. Sometimes, if you clear DP first, and before you clear MP, it will be pushed again from MP to DP. So it is always better to clear from MP, then from DP.


Regards,

Rahul Singh

I have added the ignore_user_list.txt into the User-ID Agent folder and have the user both with and without the domain prepended. domain\username and username on separate lines. I also ran the clear user-cache-mp all command first then the clear user-cache all. When I run show user ip-user-mapping ip 10.0.36.15, it still shows the user. Not sure whats going on but it doesn't want to clear the user out from the machine... Any ideas on something else I can try?

Thanks,

Sean

You need to clear the user from User-ID agent first.

User-ID Agent >>> Monitoring >>> Discovered Users,

Look for the user and delete it.

Then delete MP cache and DP cache.

Regards,

Rahul Singh

I just tried clearing it from the User-ID Agent and the name came back within roughly 5 seconds. At this point I'm beginning to think its a bug of some sort... Why does the computer/agent think that user is logged into the 10.0.36.15 machine when no body is?

Can you check if WMI probing is enabled on User ID Agent? If it is enabled, disable it.

Make sure you disable the service first, make the changes, commit, start the service.

One more thing, make sure you have created the file with proper extension.

It should not be the ignore_user_list.txt.txt

Make sure you uncheck the option "Hide extensions" under windows folder options

That seems to have fixed it. After I disabled WMI probing, and cleared the cache the user is no longer listed for DNS traffic.

Is there a way to ignore that particular machine from ever reporting a user? I'd still like to see the user's traffic, just not for that machine... No sure how to go about that...

you can try to exclude that PC's IP under User ID Agent >>> Discovery >>> Include/Exclude Networks.

Add Exclude Specified Network >>> configure the PC IP addr with /32 mask.

Check if that works.

Regards,

Rahul Singh

The agent accepted the /32 however the user is showing up in the traffic log for DNS again.

  • 1 accepted solution
  • 10683 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!