How to Add/Delete Users from Ignore User List using Agentless User-ID

This document describes the CLI commands that are used to add and delete users from the Ignore User List when using agentless User-ID. 

• PAN-OS 7.1 and above.
• Palo Alto Firewall.
• Agentless User-ID configured.

The example outputs in this document are in set format. To change the output format, use the set cli config-output-format command:

> set cli config-output-format set

Single VSYS

• To add a user to an ignore list:

# set user-id-collector ignore-user [ domain_name\user_name ]

For example:

> configure
# set user-id-collector ignore-user [ AD2008\test ]
# commit

• To add multiple users to an ignore list:

# set user-id-collector ignore-user [ domain_name\user1 domain_name\user2 domain_name\user3 ...]

• To add single user, do not use the square brackets.

# set user-id-collector ignore-user domain_name\user1

• To delete a user from the ignore list, use the following command:

# delete user-id-collector ignore-user domain_name\user8

Note: If square brackets were used to add a single user, an error will occur when attempting to delete that user.

For example:

# delete  user-id-collector ignore-user [AD2008\test]

Server error : Unable to get schema node for xpath /config/devices/entry[@name='localhost.localdomain']
/vsys/entry[@name='vsys1']/user-id-collector/ignore-user/member[text()='[AD2008\test]']

• To delete all users from the ignore-user list, use the following command:

> configure
# delete user-id-collector ignore-user
# commit

Note: Verify using the show | match ignore command:

# show | match ignore
[edit]

Multiple VSYS

• To add a user to an ignore list:

# set vsys vsys1 user-id-collector ignore-user [ domain_name\user_name ]

For example:

> configure
# set vsys vsys1 user-id-collector ignore-user [ AD2008\test ]
# commit

• Verify the user is in ignore list:

# show | match ignore
set vsys vsys1 user-id-collector ignore-user AD2008\test
[edit]

• To append to an existing ignore-list:

# set vsys vsys1 user-id-collector ignore-user [ domain_name\user1 domain_name\user2 ]

• To delete one entry

> configure
# delete vsys vsys1 user-id-collector ignore-user domain_name\user
# commit

Note: The following error will occur if multiple entries are specified. See example below:

# delete vsys vsys1 user-id-collector ignore-user [ AD2008\test1 AD2008\test2 ]
[ is not a valid token
Invalid syntax.
[edit]

• To delete all ignore-list entries from a vsys

# delete vsys vsys1 user-id-collector ignore-user