How to Ignore Users in User-ID

Printer Friendly Page

Overview

When using the User-ID Agent to identify users on the network, there is a way to ignore certain users. Generally, this is used for service accounts, but any desired username can be entered.

 

Steps

  1. Stop the User-ID service
  2. Modify/create a file ignore_user_list.txt in the directory where User-ID Agent is installed.
    • This file will contain all the users to be ignored.
    • The format of the file needs to be one username on each line.
      Note: It is sometimes required to have two entries for each username, the normal username and the username with netbios name.
      • user1
      • mydomain\user1
  3. Start the User-ID service.

 

Starting from PAN-OS 7.1 the ignore user list can also be configured for the Agentless User-ID through the WebUI

2016-09-30_16-12-38.png

 

See also

 

How to Add/Delete Users from Ignore User List using Agentless User-ID

 

owner: sspringer

Comments

Is wildcarding supported? I have hundreds of AD service accounts I'd like to ignore using agentless, all of which start with "domain\svc* ". I tried which didn't work:

set user-id-collector ignore-user [ domain\svc* svc* ]

Hello,

 

Starting with User ID Agent 7.0 wildcards are supported, also you can create your ignore user list by using "domain\svc*"

 

Starting PanOS 7.0 you can define the ignore user list from the WebUI and this also supports wildcars the same way.

 

Regards,

 

 

Correction on the ability to manage the ignore list through the WebUI.  The WebUI allows you to manage the ignore list starting at version 7.1.  

You made my day with this feature... :)

It has to be noted that adding the ignore user list through WebUI is applicable only for PAN-OS integrated User-ID agent (agentless config)

 

https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/user-id-features/ignore-us...

Obviously the WebUI settings are for agentless mode. If you are using agentbase mode you still have to create and manage the file in each agent folder.

Hello,

 

We have PA devices running PanOS 7.1.7 with User ID agent release 7.0.6-4.

 

I have just implemented Ignore user list in order to ignore several service accounts from the AD.

 

I have enabled this list two days ago and looking at the traffic logs I still see these source users...

 

The cache timeout is set to 45 minutes, alors why do I still see these users ?

 

Regards,

 

Laurent

Hi Laurent

 

did you enable the cache timeout after this user was already identified ? Have you cleared the user-ip mapping  on the userID agent  after you added the ignore function?

have you cleared the ip from cache ?

admin@myNGFW> clear user-cache ip 
  <ip/netmask>  <ip/netmask>

admin@myNGFW> clear user-cache-mp ip 
  <ip/netmask>  <ip/netmask>

the ignore list will prevent new entries from being learned but existing entries will remain until they time out or are cleared manually

Hi reaper,

 

Thanks for your quick answer.

 

The cache timeout was already enabled and set to 45 minutes before we implmented the ignore user list.

 

However we didn't clear and cache on the devices since we didn't want to take the risk to impact the users access.

 

If we check for these users in the ip mapping table it seems that we don't find them :

 

> show user ip-user-mapping all | match ignored_user

 

This it seems that the ignore list is working as expected

 

Furthermore I have to say that before the implmentation of the ignore user list we had thousend of logs a day identified with these users. Since the list has been implmented (two days ago) we only have a few logs with thee user.

 

At the end it seems that the ignore user list is working fine however not totally, or not all the time. Maybe something related to the amount of security logs to parse ?

 

Regards,

Hi Laurent

 

It should work just fine, without more details i can only guess

Try, if possible, to check the user-ip mapping the moment you see a log regarding the ignored user to see if it is being mapped or something else might be happening 

Hi reaper,

 

I have checker user-ip mapping table at the moment I see log with the ignored source user and it doesn't appear in the table.

Furthermore, I checked the user ID agent logs UaDebugOld.log (we have two agents) and I see lots of logs that reflect users are well ignored such as :

 

User domain\user_to_ignore is in ignore user lists

 

But there are no log entry where ignored user is added to the mapping table such as :

 

IP x.x.x.x is added (name: domain\user_to_ignore, time: 1490965775).

 

I suspect a user agent software bug related to the log parsing process and the ignore user list. Maybe when there are a huge amount of security logs to parse, sometmes before ignoring the user, the agent sends the IP - username association to the FW. Because there is no other reason explaining why we still sometimes see these ignored users in the FW trafic logs...

good to know the ignore list is working! I'd recommend you reach out to support to have the log overflow you're experiencing analysed

Just to be clear on the wildcard as I read that the wildcard can only be applied at the end.

For example, corpdomain\it-admin*

 

Can you advise if having a wildcard mid string is acceptable?

For example, corpdomain\*_it-admin

 

 

 

 

@dfranz

yes, the wildcard can only be added as the last character in a string

 

corpdomain\it-admin* will work

corpdomain\*_it-admin will not work

Has the feature been looked at to allow the exemption of usernames or resource accounts based on AD group assignment?

We have multiple resources accounts that are maintained under a select few AD groups and would be much easier to apply the AD group to the ignore list then all the separate resource accounts.

hi @Gun-Slinger

 

There is a feature request for this, but it does not have a lot of votes. You can reach out to your local sales team to have your vote added to FR 1172 and FR 7120

Thanks @reaper

I have advised my SE to vote for both...here's to this showing up in 8.x...HA!

I have just tried this and the exclude list doesn't appear to work if the user ID is learned via the XMLAPI, wildcard or no.  Could that explain other people's probelms too?

Hello.  Our Windows Domain admins stood up a new domain for our computers but going to leave users on a variety of other doamins.  I was wondering if anyone has tested excluding an entire domain?  Woudl it be?

"comp_domain\*"

 

What is the use case for ignoring service accounts?

In any environments where you are "actively" using service account, you will probably have to ignore these service accounts, otherwise you will have a lots of wrongly identified users.

For example in our organization we are using dozen of service accounts for various applications and tools. We quickly had to ignore service accounts used for DB backup, Antivirus, and Exchange severs but also a lots more because of incorrect user-id. It's quite easy to figure it out : look at a particular source IP address in the traffoc logs, and across the time you will alternatively see the source user changing : user_x -> service_account -> user_x -> service_account ... Also you will quickly have complaining users if you have a strict policy regarding service accounts.

This would happen everytime a service account is logging, starting or doing anything that is generating event logs.