10-10-2017 04:39 PM
Hello,
We are using User-ID Agent.
A number of Source Users are reported as “sophosupdate”. It is not picking up the correct user.
The expected behaviour would be for the end user name (example of m.hayes in the list below).
How to correct this?
Thanks in advance.
10-11-2017 10:01 PM
Hi Farzana,
Try below command ignoring the domain.
show user user-ids match-user sophosupdate
and see if you can see any mapping.
For ignore user list the filename should be exactly ignore_user_list.txt.
Common issue which happens is the file usually gets created with ignore_user_list.txt.txt,
Untick below:
Under Tools>Folder Options > Hide extensions for known file types
Remove the extra .txt if it exists.
10-12-2017 04:32 AM
Also make sure to restart the User-ID service once you've implemented the ignore user list so it picks up and reads the list.
10-10-2017 07:28 PM
Hi Farzana,
You can try the below link to ignore service accounts:
Usually it should work with bcc\sophosupdate in the list, if it does not works then enter both the formats sophosupdate and bcc\sophosupdate.
10-11-2017 02:26 PM - edited 10-11-2017 03:59 PM
Thanks for the suggestion. Tried that but not working.
Hayes one of our members was logged into a Windows 7 desktop with the IP of 10.1.x.y. At the start of the session (initial login) it changed withing 20 minutes and Hayes could not longer browse the internet. I checked the Palo Alto User Agent on BCC-DC02 and found that it was now registering the SophosUpdate account against the 10.1.x.y address.
I cannot find in the PA the user group that bcc\sophosupdate user belongs to.
> show user user-ids match-user bcc\sophosupdate
User Name Vsys Groups
------------------------------------------------------------------
Total: 829
* : Custom Group
> show user user-id-agent config name BCC-DC02
Has nothing in the Ignore List.
10-11-2017 10:01 PM
Hi Farzana,
Try below command ignoring the domain.
show user user-ids match-user sophosupdate
and see if you can see any mapping.
For ignore user list the filename should be exactly ignore_user_list.txt.
Common issue which happens is the file usually gets created with ignore_user_list.txt.txt,
Untick below:
Under Tools>Folder Options > Hide extensions for known file types
Remove the extra .txt if it exists.
10-12-2017 04:32 AM
Also make sure to restart the User-ID service once you've implemented the ignore user list so it picks up and reads the list.
10-12-2017 07:30 PM
Thank you!
We added the “ignore” list at the User ID agent and not the FW GUI.
Also cleared the user-id, and user-id-mp caches and restarted the Agent.
Issue is resolved.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
