This document describes the CLI commands that are used to add and delete users from the Ignore User List when using agentless User-ID.
The example outputs in this document are in set format. To change the output format, use the set cli config-output-format command:
> set cli config-output-format set
# set user-id-collector ignore-user [ domain_name\user_name ]
# set user-id-collector ignore-user [ AD2008\test ]
# set user-id-collector ignore-user [ domain_name\user1 domain_name\user2 domain_name\user3 ...]
# set user-id-collector ignore-user domain_name\user1
# delete user-id-collector ignore-user domain_name\user8
Note: If square brackets were used to add a single user, an error will occur when attempting to delete that user.
# delete user-id-collector ignore-user [AD2008\test]
Server error : Unable to get schema node for xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/user-id-collector/ignore-user/member[text()='[AD2008\test]']
# delete user-id-collector ignore-user
Note: Verify using the show | match ignore command:
# show | match ignore
# set vsys vsys1 user-id-collector ignore-user [ domain_name\user_name ]
# set vsys vsys1 user-id-collector ignore-user [ AD2008\test ]
Verify the change:
set vsys vsys1 user-id-collector ignore-user AD2008\test
# set vsys vsys1 user-id-collector ignore-user [ domain_name\user1 domain_name\user2 ]
# delete vsys vsys1 user-id-collector ignore-user domain_name\user
Note: The following error will occur if multiple entries are specified. See example below:
# delete vsys vsys1 user-id-collector ignore-user [ AD2008\test1 AD2008\test2 ]
[ is not a valid token
# delete vsys vsys1 user-id-collector ignore-user
How can you show the ignore-user list in agentless setup ?
How can you add accounts with umlaut like "nt-autorität\anonymous-anmeldung" to the ignore-user list ? I tried but it does not work.
in my opinion the ignore-list is only available in the config...
I`ve also problems with ignore-users in the agentless user-id at all. All the configured ignore-users (as described above) are not ignored.
Can you confirm this or do yo see the problems only with the "nt-aut..."-user?
for my understanding there should be a "show user-id-collector ignore-user" command ...
The ignore-user I have added are all being ignored at least with my setup, except the accounts with umlauts....
I did one by one each on a separate command line. I am on 5.0.2.
Do you still have User-ID agents configured and enabled ?
Don't forget to clear the user-ids to be ignored after the commit.
I cleared the user-mapping for the specific IP but the ignored user was mapped again after issuing a domain-activity (like GPO update). Do you think a complete clear is necessary (or even a restart for the user-id-agent process?)
Is it just one specific account or any account which reappears after a while ?
No additional user-id-agents configured and also on 5.0.2. Have you configured with the "vsys" in the cli-command? (even if no vsys are in use?)
I`m also with you that a "show user-id-collector ignore-user" is absolutely necessary.
No I have not used a reference to a vsys on the cli. strange ...
In the User-ID Setup on the FW do you have the "Enable Session" option enabled ? I have not .
No, session read is also not enabled...
thanks a lot for now Roland! I`ll do some more testings on monday in both installations and get back to you.
Perhaps I`ll also open a case for this...
Regarding the umlaut-user: PAN (and especially the user-id) had (or still have..) problems with correctly encoding german umlaut letters...perhaps I can handle this in the case..
As per knowledge currently CLI does not support Special character at all. So in case of agent less user id agent there is no way to add it from CLI or GUI.
I have opened a case with support and the bug which prevents the use of umlaut characters has been confirmed, they are working on this issue.
Hi, I found the commands worked as in the OP (but watch that with a list there MUST be a space after the [ )
However I can't find the show command at all, have explored the cli commands that all start with user-... but nothing that will show me the ignored users. This should be on the GUI anyway, I'll log a feature request.
I believe you can run the following command to look at what is in the ignore list
# show user-id-collector setting
Also this should be visible in
>show config running
Hope this helps.
Ugh sorry for not responding sooner, has been a bad week!
Yes that;s the command I tried but it doesn't exist on my system.
show sub-commands only gives me user, not user-id and the options from there are:
> group Show user groups data
> group-mapping Show group mapping states
> group-mapping-service Show group-mapping service info
> group-selection Show members under one container
> ip-port-user-mapping Show terminal server agent data
> ip-user-mapping Show ip-user-mapping in data-plane
> ip-user-mapping-mp Show ip-user-mapping in management-plane
> local-user-db Local user database
> server-monitor Show server monitor info
> ts-agent Show terminal server agent info
> user-IDs Show user-IDs
> user-id-agent Show user-id-agent info
> user-id-service Show user-id service info
You need to be in the config mode. From the output shown above it seems you are not
Here is how to get to the config mode
Entering configuration mode
admin# show user-id-collector setting
Thanks, I found the command in config mode
show vsys vsys1 user-id-collector setting
But unfortunately the one thing it doesn't show is the ignore-user settings. However if I use the command
show vsys vsys1 user-id-collector
It shows me the user id part of the config and it is at the bottom of that, though it's not really worth the effort because
show config running | match ignore
does the same thing.
Clearly this really should be done via the GUI anyway.
Thanks for your help.
how can I add a user name that contains blank spaces? for example, "nt authority \ local access"
Anyone know if wildcards are supported?
I would love to be able to not learn admin accounts with out adding every individual user and im sure there will be more useful times we want to do this.
Eg domain\usernames.admin can be matched with domain\*.admin
Quick test would indicate that its not supported but im happy to be proven wrong.
Wildcards are not supported, just tried on 6.0.6
Spaces are handled with double quotes
set user-id-collector ignore-user "nt authority\accesso anonimo"
set user-id-collector ignore-user "accesso anonimo"
ignore-user [ "nt authority\accesso anonimo" "accesso anonimo" ];
During manual XMLAPI, user insert is generated the wanted error
<uid-message><version>2.0</version><type>update</type><payload><login><entry name="nt authority\accesso anonimo" ip="X.X.X.X" timeout="60" /></login></payload></uid-message>
<entry name="nt authority\accesso anonimo" ip="X.X.X.X" message="user nt authority\accesso anonimo is in ignore list"/>
Special chars are not handled via cli but accepted via xmlapi
element=<member>test%20test<member> reports ok
element=<member>testò<member> is also ok
element=<member>testö<member> is also ok
ignore-user [ "nt authority\accesso anonimo" "accesso anonimo" "accesso a.*." test "test test" "test test\" testò testö];
XMLAPI manual user insert reported again the wanted error
<entry name="testö" ip="X.X.X.X" message="user testö is in ignore list"/>
XML API syntax for adding user with special characters:https://pa-box/api/?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain'...<member>zarządzanie nt\logowanie anonimowe</member>&key=abcd
You must generate a new key (....>&key=abcd)
To do this, use this URL
Elton Ramos Carvalho
In case it helps anyone else adding values via panorama CLI
set template <template-name> config vsys <vsys#> user-id-collector ignore-user [ <space delimited list> ]
although on 7.1.9 I am still not ignoring these users on my agentless firewalls pulling from AD security logs, and also the UIA still pull the ignore'd users across from the other firewalls so I'm going to open a support case.
I tried both actual usernames and wildcard, neither works
Will be super helpful once the ignore list does work though for me to mass setup an ignore list in my template stack