Agentless User-ID not processing ingore-user list

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Agentless User-ID not processing ingore-user list

L1 Bithead

I've been working on trying to configure all the firewalls with the Agentless User-ID setup but despite several attempts to enable it I cannot get it to ignore users.

I establish a session and enter config mode and type in the command set user-id-collector ignore-user [ domain\serviceaccount ] then commit the changes and despite doing so I still see all my normal user ID mappings being overwritten with domain\serviceaccount

I tried clearing the mapping cache and when the list starts repopulating I'm still seeing entries only for the domain\serviceaccount

I also tried several methods of entering the accounts such as matching case and without the domain but it still refuses to match the list, the only thing I haven't tried is entering something like cn=Service Account,cn=Users,dc=domain,dc=com but I really think at this point if nothing I've done before hasn't worked that this will not work either.

I'm not sure what I'd doing wrong and I cannot seem to find anything in the release notes or KnowledgePoint leading me to believe that there are known issues or it doesn't work so I'm open to suggestions.

6 REPLIES 6

L5 Sessionator

Hi Joshua,

Is it a multi vsys system by any change.

If you have multiple vsys, depending on what vsys you need to add the ignore list you can use the following command

#Set vsys vsys1 user-id-collector ignore-user [ AD2008\test1 test1 ]

Also i have worked with a customer and it did work for me. I am not sure why it is not working for you. Try adding both user with domain and with domain.

Hopefully that helps.

Thanks

Numan

I have tried every combination of entering the AD account names except for something like test1@ad2008.com or cn=test1, dc=ad2008, dc=com or something like that.

This particular firewall itself does not have any configured virtual systems as well so I am entering the command set user-id-collector ignore-user [ domain\test1 test1 Domain\Test1 Test1 ] to account for with and without the domain and to confirm that the system is not case sensitive as well.

I'll continue to look around and see if there is anything else I may be missing.

Hi Joshua,

Could you try using individual set commands for each user you are adding to the ignore list?  You may want to clear the ignore list prior to the test with "delete user-id-collector ignore-user".

set user-id-collector ignore-user "domain\test1"

set user-id-collector ignore-user test1

set user-id-collector ignore-user "domain\user"

set user-id-collector ignore-user user


Thanks,

-- Kevin

L5 Sessionator

Hi Joshua,

Another thing to make sure is that you clear the user ip mapping after you have created the ignore user list entry.

I see above you did clear it but was it before committing the changes or after.

Thank you

Numan

Here are the steps I have been following

1. log into CLI session and add all the entries to the ignore list

2. verify the entries via the Web UI are showing up properly in the candidate config context view

3. Stop the User-ID agent running on the local file print server.

3. From the CLI run the commit command.

4. Wait for confirmation the config has applied

5. Issue from the CLI clear user-cache all

6. After that I issue from the CLI show user ip-user-mapping all | match utilityaccount which shows entries for all the local IP addresses that should be identified by local users.

So I disable the agentless config and re-enable the Application based User-ID agent to make sure the user entries are not overwritten with the service account.

L1 Bithead

On another one of our firewalls we had multiple vsys objects defined but went back to just one, I tried the above steps and this firewall doesn't observe the ignore list either so knowing this FW did have a second vsys at one point I tried the command like so:

fwadmin@PA-4050# set vsys vsys1 user-id-collector ignore-user

Invalid syntax.

It doesn't appear to like the command when entered with the "vsys vsys1" part.

  • 4434 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!