This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Ignoring Users in Mapping

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Ignoring Users in Mapping

PIRSA
L0 Member

‎06-26-2018 09:06 PM

Howdy,

 

Sorry if this has been asked thousands of times, but I cannot seem to locate something quite similiar.

 

We have noticed recently, that some users are logging in with a local computer account and then obviously being able to browse the internet falling into a catch all rule for 'Known Users' which is required. 

 

It was suggested, as an option that we try to not learn them as 'known Users' etc.  However, I am not sure how we would handle that in our case.

 

The problem is that the workstation name is not constant like if the user were coming in with their domain\username, so the users are appearing as below in the user mapping tables:

 

User:          mn2343234\administrator
User:          mn12345\administrator

User:          mn56789\administrator

etc etc

 

So if I am reading things correctly the only way to stop this access is that we would need to somehow make that text file the agent uses on the server dynamic and populate it with computer name/username items one per line, then restart the agent to apply the settings? Is there another easier way to ignore these users?

 

0 Likes Likes
2 REPLIES 2

reaper
Cyber Elite
Cyber Elite

‎06-27-2018 01:39 AM

If the users are being learned, you have probing enabled: when an unknown IP connects to the firewall, the firewall will ask the UserID agent for information. if it does not havbe a mapping and probing is enabled, it will then probe the IP and detect the local account

 

Probing has pro's and cons: it will also periodically probe existing mappings and if a user has logged out or moved to a new ip (wifi roaming), the no-longer-active session/unused ip will be cleared from mapping. This helps prevent other iusers swooping in and abusing the previous user's mappings access

 

so the best option is to simply exclude the admin accounts from being registered, through the ignore_user_list.txt

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎06-27-2018 10:12 AM

Hello,

One option would be to use user-id in your allow internet browsing policy. Then anyone who is not a 'domain user' would not be able to browse the internet. In the past I used the group 'Domain User' if anything fell outside of it it would fall int oa more stringent policy.

 

Hope it helps.

0 Likes Likes
  • 1937 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks