01-08-2013 10:41 AM
I've been working on trying to configure all the firewalls with the Agentless User-ID setup but despite several attempts to enable it I cannot get it to ignore users.
I establish a session and enter config mode and type in the command set user-id-collector ignore-user [ domain\serviceaccount ] then commit the changes and despite doing so I still see all my normal user ID mappings being overwritten with domain\serviceaccount
I tried clearing the mapping cache and when the list starts repopulating I'm still seeing entries only for the domain\serviceaccount
I also tried several methods of entering the accounts such as matching case and without the domain but it still refuses to match the list, the only thing I haven't tried is entering something like cn=Service Account,cn=Users,dc=domain,dc=com but I really think at this point if nothing I've done before hasn't worked that this will not work either.
I'm not sure what I'd doing wrong and I cannot seem to find anything in the release notes or KnowledgePoint leading me to believe that there are known issues or it doesn't work so I'm open to suggestions.
01-08-2013 12:06 PM
Hi Joshua,
Is it a multi vsys system by any change.
If you have multiple vsys, depending on what vsys you need to add the ignore list you can use the following command
#Set vsys vsys1 user-id-collector ignore-user [ AD2008\test1 test1 ]
Also i have worked with a customer and it did work for me. I am not sure why it is not working for you. Try adding both user with domain and with domain.
Hopefully that helps.
Thanks
Numan
01-09-2013 06:34 AM
I have tried every combination of entering the AD account names except for something like test1@ad2008.com or cn=test1, dc=ad2008, dc=com or something like that.
This particular firewall itself does not have any configured virtual systems as well so I am entering the command set user-id-collector ignore-user [ domain\test1 test1 Domain\Test1 Test1 ] to account for with and without the domain and to confirm that the system is not case sensitive as well.
I'll continue to look around and see if there is anything else I may be missing.
01-09-2013 11:00 AM
Hi Joshua,
Could you try using individual set commands for each user you are adding to the ignore list? You may want to clear the ignore list prior to the test with "delete user-id-collector ignore-user".
set user-id-collector ignore-user "domain\test1"
set user-id-collector ignore-user test1
set user-id-collector ignore-user "domain\user"
set user-id-collector ignore-user user
Thanks,
-- Kevin
01-09-2013 11:13 AM
Hi Joshua,
Another thing to make sure is that you clear the user ip mapping after you have created the ignore user list entry.
I see above you did clear it but was it before committing the changes or after.
Thank you
Numan
01-09-2013 12:52 PM
Here are the steps I have been following
1. log into CLI session and add all the entries to the ignore list
2. verify the entries via the Web UI are showing up properly in the candidate config context view
3. Stop the User-ID agent running on the local file print server.
3. From the CLI run the commit command.
4. Wait for confirmation the config has applied
5. Issue from the CLI clear user-cache all
6. After that I issue from the CLI show user ip-user-mapping all | match utilityaccount which shows entries for all the local IP addresses that should be identified by local users.
So I disable the agentless config and re-enable the Application based User-ID agent to make sure the user entries are not overwritten with the service account.
01-18-2013 06:34 AM
On another one of our firewalls we had multiple vsys objects defined but went back to just one, I tried the above steps and this firewall doesn't observe the ignore list either so knowing this FW did have a second vsys at one point I tried the command like so:
fwadmin@PA-4050# set vsys vsys1 user-id-collector ignore-user
Invalid syntax.
It doesn't appear to like the command when entered with the "vsys vsys1" part.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
