Incorrect User-ID

Reply
Highlighted
L4 Transporter

Incorrect User-ID

Hello,

 

We are using User-ID Agent. 

A number of Source Users are reported as “sophosupdate”. It is not picking up the correct user.

The expected behaviour would be for the end user name (example of m.hayes in the list below).

 

User-ID.jpg

 

How to correct this?

Thanks in advance.


Accepted Solutions
Highlighted
L2 Linker

Hi Farzana,

 

Try below command ignoring the domain.

 

show user user-ids match-user sophosupdate

 

and see if you can see any mapping.

 

For ignore user list the filename should be exactly ignore_user_list.txt.

 

Common issue which happens is the file usually gets created with ignore_user_list.txt.txt

 

Untick below: 

Under Tools>Folder Options > Hide extensions for known file types 

Remove the extra .txt if it exists.

View solution in original post

Highlighted
L4 Transporter

Also make sure to restart the User-ID service once you've implemented the ignore user list so it picks up and reads the list.

View solution in original post


All Replies
Highlighted
L2 Linker

Hi Farzana,

 

You can try the below link to ignore service accounts:

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Ignore-Users-in-User-ID-Agent/ta-p/5...

 

Usually it should work with bcc\sophosupdate in the list, if it does not works then enter both the formats sophosupdate and bcc\sophosupdate.

 

Highlighted
L4 Transporter

Thanks for the suggestion. Tried that but not working.

 

Hayes one of our members was logged into a Windows 7 desktop with the IP of 10.1.x.y. At the start of the session (initial login) it changed withing 20 minutes and Hayes could not longer browse the internet. I checked the Palo Alto User Agent on BCC-DC02 and found that it was now registering the SophosUpdate account against the 10.1.x.y address.

 

I cannot find in the PA the user group that bcc\sophosupdate user belongs to.

 

> show user user-ids match-user bcc\sophosupdate

 

User Name                       Vsys    Groups

------------------------------------------------------------------

 

Total: 829

* : Custom Group

 

> show user user-id-agent config name BCC-DC02

 

Has nothing in the Ignore List.

Highlighted
L2 Linker

Hi Farzana,

 

Try below command ignoring the domain.

 

show user user-ids match-user sophosupdate

 

and see if you can see any mapping.

 

For ignore user list the filename should be exactly ignore_user_list.txt.

 

Common issue which happens is the file usually gets created with ignore_user_list.txt.txt

 

Untick below: 

Under Tools>Folder Options > Hide extensions for known file types 

Remove the extra .txt if it exists.

View solution in original post

Highlighted
L4 Transporter

Also make sure to restart the User-ID service once you've implemented the ignore user list so it picks up and reads the list.

View solution in original post

L4 Transporter

Thank you!

 

 We added the “ignore” list at the User ID agent and not the FW GUI.

Also cleared the user-id, and user-id-mp caches and restarted the Agent.

 

Issue is resolved.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!