User-ID ignore multiple users - agentless or agent

Reply
Highlighted
L4 Transporter

User-ID ignore multiple users - agentless or agent

Hi,

I've got an installation with approx 70k+ users, where user-id is an important factor. I want to ignore all user with prefix adm or svc in the user name(admin and service accounts) from user-id, to avoid getting unwanted ip-user-mappings. I have the option to both use agentless and agent on windows server. There are so many admin and service accounts, that adding one by one in a txt file or in the cli on the fw simply isn't an option.

I've searched a lot for this both in articles here and the admin guides, but I can't find a good solution. Does anybody have a smart way to solve this issue? I.e. scripting or something else?

Any input would be appreciated, as this is really becoming a pain...

Regards,

Tor

L2 Linker

Re: User-ID ignore multiple users - agentless or agent

Hi Tor,

The LDAP search string for this is quite easy:

"(&(objectCategory=person)(objectClass=user)(!cn=adm*)(!cn=svc*))"


This filter can be used under User Identification -> Group Mapping -> Server Profile -> User objects


The User-ID Best Practice guide also says:

"The Group Include List can then be used to filter which groups from the LDAP servers are displayed in the Firewall Policy Interface. This also filters which users are tracked in the firewall logs. If a user does not belong to one of these groups, the firewall will not record the users name in the various logs."

https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/6591-102-5-22672/User-ID_Best_Prac...


Is this helpful for you?


Regards,

- Kim

L4 Transporter

Re: User-ID ignore multiple users - agentless or agent

Hi,

Nice to know, but it's unfortunately not what I'm looking for. This would help in narrowing down the ldap part of user-id (group-mapping), but not the IP-user-mapping part.

I need a way to filter away ip-user-mappings containing a prefix(i.e. adm or svc). Using the ignore_user_list.txt in agent or "set user-id-collector ignore-user" in agentless does not scale in a large environment.

Regards,

Tor

L4 Transporter

Re: User-ID ignore multiple users - agentless or agent

you can try using a tool like powershell and save the output in a text file (be careful with that amount of users can impact the server performance)

Find Users with Get-ADUser | Systems Management content from Windows IT Pro

After checking the correct name format you just rename the file 'ignore_user_list.txt' and put it in the Installation agent folder. This can be a workaround, because of your many users this could impact the User agent performance (better to run it in a dedicated server) and also I couldn't find the maximum excluded users the file can contain.

I advise you to contact your SE to create a feature request to filter out user to IP mapping based on wildcards.

Regards,

G

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!