How to Add/Delete Users from Ignore User List using Agentless User-ID

by mbutt on ‎12-18-2012 10:10 AM (46,381 Views)


This document describes the CLI commands that are used to add and delete users from the Ignore User List when using agentless User-ID.


The example outputs in this document are in set format. To change the output format, use the set cli config-output-format command:

> set cli config-output-format set

Single VSYS

  • To add a user to an ignore list:

# set user-id-collector ignore-user [ domain_name\user_name ]

For example:

> configure

# set user-id-collector ignore-user [ AD2008\test ]

# commit

  • To add multiple users to an ignore list:

# set user-id-collector ignore-user [ domain_name\user1 domain_name\user2 domain_name\user3 ...]

  • To add single user, do not use the square brackets.

# set user-id-collector ignore-user domain_name\user1

  • To delete a user from the ignore list, use the following command:

# delete user-id-collector ignore-user domain_name\user8

Note: If square brackets were used to add a single user, an error will occur when attempting to delete that user.

For example:

# delete  user-id-collector ignore-user [AD2008\test]

Server error : Unable to get schema node for xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/user-id-collector/ignore-user/member[text()='[AD2008\test]']

  • To delete all users from the ignore-user list, use the following command:

> configure

# delete user-id-collector ignore-user

# commit

Note: Verify using the show | match ignore command:

# show | match ignore


Multiple VSYS

  • To add a user to an ignore list:

# set vsys vsys1 user-id-collector ignore-user [ domain_name\user_name ]

For example:

> configure

# set vsys vsys1 user-id-collector ignore-user [ AD2008\test ]

# commit

Verify the change:

# show | match ignore

set vsys vsys1 user-id-collector ignore-user AD2008\test


  • To append to an existing ignore-list:

# set vsys vsys1 user-id-collector ignore-user [ domain_name\user1 domain_name\user2 ]

  • To delete one entry

> configure

# delete vsys vsys1 user-id-collector ignore-user domain_name\user

# commit

Note: The following error will occur if multiple entries are specified. See example below:

# delete vsys vsys1 user-id-collector ignore-user [ AD2008\test1 AD2008\test2 ]

[ is not a valid token

Invalid syntax.


  • To delete all ignore-list entries from a vsys

# delete vsys vsys1 user-id-collector ignore-user

owner: jlunario

by gafrol
on ‎02-08-2013 07:27 AM

How can you show the ignore-user list in agentless setup ?

rgds Roland

by gafrol
on ‎02-08-2013 07:33 AM

How can you add accounts with umlaut like "nt-autorität\anonymous-anmeldung" to the ignore-user list ? I tried but it does not work.

rgds Roland

by indup089
on ‎02-08-2013 08:04 AM

Hi Roland,

in my opinion the ignore-list is only available in the config...

I`ve also problems with ignore-users in the agentless user-id at all. All the configured ignore-users (as described above) are not ignored.

Can you confirm this or do yo see the problems only with the "nt-aut..."-user?


by gafrol
on ‎02-08-2013 08:15 AM

Hi Ulrich,

for my understanding there should be a "show user-id-collector ignore-user" command ...

The ignore-user I have added are all being ignored at least with my setup, except the accounts with umlauts....

I did one by one each on a separate command line. I am on 5.0.2.

Do you still have User-ID agents configured and enabled ?


by gafrol
on ‎02-08-2013 08:17 AM

Don't forget to clear the user-ids to be ignored after the commit.

by indup089
on ‎02-08-2013 08:21 AM

I cleared the user-mapping for the specific IP but the ignored user was mapped again after issuing a domain-activity (like GPO update). Do you think a complete clear is necessary (or even a restart for the user-id-agent process?)

by gafrol
on ‎02-08-2013 08:30 AM

Is it just one specific account or any account which reappears after a while ?

Do you still have User-ID agents configured and enabled ?

by indup089
on ‎02-08-2013 08:31 AM

No additional user-id-agents configured and also on 5.0.2. Have you configured with the "vsys" in the cli-command?  (even if no vsys are in use?)

I`m also with you that a "show user-id-collector ignore-user" is absolutely necessary.

by gafrol
on ‎02-08-2013 08:33 AM

No I have not used a reference to a vsys on the cli. strange ...

by gafrol
on ‎02-08-2013 08:39 AM

In the User-ID Setup on the FW do you have the "Enable Session" option enabled ? I have not .

by indup089
on ‎02-08-2013 08:51 AM

No, session read is also not enabled...

thanks a lot for now Roland! I`ll do some more testings on monday in both installations and get back to you.

Perhaps I`ll also open a case for this...

Regarding the umlaut-user:  PAN (and especially the user-id) had (or still have..) problems with correctly encoding german umlaut letters...perhaps I can handle this in the case..

by mbutt
on ‎02-19-2013 02:21 PM

Hi Ronald,

As per knowledge currently CLI does not support Special character at all. So in case of agent less user id agent there is no way to add it from CLI or GUI.



by gafrol
on ‎02-19-2013 02:25 PM

I have opened a case with support and the bug which prevents the use of umlaut characters has been confirmed, they are working on this issue.

by djr
on ‎07-01-2013 02:01 AM

Hi, I found the commands worked as in the OP (but watch that with a list there MUST be a space after the [ )

However I can't find the show command at all, have explored the cli commands that all start with user-... but nothing that will show me the ignored users.  This should be on the GUI anyway, I'll log a feature request.

by mbutt
on ‎07-01-2013 04:38 PM

Hi djr,

I believe you can run the following command to look at what is in the ignore list

# show user-id-collector setting

Also this should be visible in

>show config running

Hope this helps.

Thank you

by djr
on ‎07-05-2013 09:46 AM

Ugh sorry for not responding sooner, has been a bad week!

Yes that;s the command I tried but it doesn't exist on my system.

show sub-commands only gives me user, not user-id and the options from there are:

> group                   Show user groups data

> group-mapping           Show group mapping states

> group-mapping-service   Show group-mapping service info

> group-selection         Show members under one container

> ip-port-user-mapping    Show terminal server agent data

> ip-user-mapping         Show ip-user-mapping in data-plane

> ip-user-mapping-mp      Show ip-user-mapping in management-plane

> local-user-db           Local user database

> server-monitor          Show server monitor info

> ts-agent                Show terminal server agent info

> user-IDs                Show user-IDs

> user-id-agent           Show user-id-agent info

> user-id-service         Show user-id service info

by mbutt
on ‎07-05-2013 02:55 PM

Hi djr,

You need to be in the config mode. From the output shown above it seems you are not

Here is how to get to the config mode

admin> configure

Entering configuration mode


admin# show user-id-collector setting

Hope this helps.


by djr
on ‎07-09-2013 04:13 AM

Thanks, I found the command in config mode

show vsys vsys1 user-id-collector setting

But unfortunately the one thing it doesn't show is the ignore-user settings.  However if I use the command

show vsys vsys1 user-id-collector

It shows me the user id part of the config and it is at the bottom of that, though it's not really worth the effort because

show config running | match ignore

does the same thing.

Clearly this really should be done via the GUI anyway.

Thanks for your help.

by peppyno77
on ‎07-01-2014 03:53 AM

how can I add a user name that contains blank spaces? for example, "nt authority \ local access"


by Michael_Lidgett
on ‎08-14-2014 10:36 PM

Anyone know if wildcards are supported?

I would love to be able to not learn admin accounts with out adding every individual user and im sure there will be more useful times we want to do this.

Eg  domain\usernames.admin can be matched with domain\*.admin   

Quick test would indicate that its not supported but im happy to be proven wrong.

by NGS
on ‎11-27-2014 01:55 PM

Wildcards are not supported, just tried on 6.0.6

Spaces are handled with double quotes

set user-id-collector ignore-user "nt authority\accesso anonimo"

set user-id-collector ignore-user "accesso anonimo"

show user-id-collector


  ignore-user [ "nt authority\accesso anonimo" "accesso anonimo" ];

During manual XMLAPI, user insert is generated the wanted error

<uid-message><version>2.0</version><type>update</type><payload><login><entry name="nt authority\accesso anonimo" ip="X.X.X.X" timeout="60" /></login></payload></uid-message>

<response status="error">







<entry name="nt authority\accesso anonimo" ip="X.X.X.X" message="user nt authority\accesso anonimo is in ignore list"/>







Special chars are not handled via cli but accepted via xmlapi


element=<member>test%20test<member>  reports ok

element=<member>testò<member>  is also ok

element=<member>testö<member>  is also ok

  ignore-user [ "nt authority\accesso anonimo" "accesso anonimo" "accesso a.*." test "test test" "test test\" testò testö];


XMLAPI manual user insert reported again the wanted error

<entry name="testö" ip="X.X.X.X" message="user testö is in ignore list"/>

by Albert_C
on ‎12-18-2014 12:00 AM

XML API syntax for adding user with special characters:
https://pa-box/api/?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain'...<member>zarządzanie nt\logowanie anonimowe</member>&key=abcd

by eltoncarvalho
on ‎01-28-2015 04:30 AM

You must generate a new key (....>&key=abcd)

To do this, use this URL


Elton Ramos Carvalho

by David_Avery
on ‎06-14-2017 12:17 PM

In case it helps anyone else adding values via panorama CLI


set template <template-name> config vsys <vsys#> user-id-collector ignore-user [ <space delimited list> ]


although on 7.1.9 I am still not ignoring these users on my agentless firewalls pulling from AD security logs, and also the UIA still pull the ignore'd users across from the other firewalls so I'm going to open a support case.


I tried both actual usernames and wildcard, neither works


Will be super helpful once the ignore list does work though for me to mass setup an ignore list in my template stack

by djr
on ‎09-26-2017 07:54 AM



Did you get an answer?  I am hitting this problem for the agentless user-ID but the ignore-list is working fine for my UIA.  Unfortunately some users come in via the XMLAPI so have to go direct to the firewall.




Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community