PA-5050, Agent-less user-id to AD, exclusions not working?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-5050, Agent-less user-id to AD, exclusions not working?

L1 Bithead

Working on setting up a 5050 with user-id mapping against 2 domain controllers.  the agent-less, WMI based setup is working fine thus far, except I cant figure out how to exclude certain IP ranges.

For instance.  We have a VPN appliance that does Kerberos authentication to the AD Domain.  Everytime a user logs in, it associates the IP of the device requesting authentication as a user-id map.  Id like to just exclude that device from ever being learned.  Along with the domain controllers and some other servers themselves.

I have tried a few different include/excludes on all the zones with UID turned on, but it doesnt seem to stop those IPs from being learned.

PanOS 5.0.2

1 accepted solution

Accepted Solutions

Its working.  The addresses were coming back after I cleared the cache.  I just had to wait it out.  Just impatient.  Sorry for the bum question!

View solution in original post

10 REPLIES 10

L5 Sessionator

You can use the Include/Exclude Networks section to ignore mapping for certain networks:

ignore.JPG

I tried that.  But that makes it so the mapping isnt learned from the AD servers themselves.

Example.  AD Servers at 10.0.0.1/16 and 10.0.0.2/16.  I dont want to learn who is logged onto the AD servers, or any other server in the 10.0.0.0/16 subnet.  Only clients in another subnet.  I put exclude 10.0.0.0/16 in that list and then NOTHING gets learned except the IPs from RADIUS accounting.  Just seems like it is malfunctioning somehow.

EDIT:  IIRC, that made it so it wouldnt discover the AD servers themselves.  Because the servers in the box above disappeared shortly afterwards.

EDIT2:  To clarify.  If I have 10.0.0.0/16 and AD servers 10.0.0.1/10.0.0.2 and other misc servers or appliances at 10.0.0.20-25.  I do not want a username to ever be associated with IPs 10.0.0.1, 10.0.0.2, 10.0.0.20-25.

L1 Bithead

Looking to ignore IPs, not users.  Certain IPs I dont want to ever be associated with a user.

almost the same syntax

set user-id-collector include-exclude-network

I just did it.  The same thing happened.  All the IPs learned from the AD servers in the excluded range went away.  Im not completely clear on what enabled and discovery are for.  They seem to have differing functions.

If you have 10.0.0.0/16 as part of the exclude network, any ip in this range will not have an associated ip-user mapping. Anything not part of this, say 192.168.0.0/16 that are learned from your server should have a mapping.

Discovery - is to define the include or exclude list

Enable option lets you enable the above option (include/exclude). If you do not have this checked, the include/exclude list will not take effect.

Im going to leave it overnight.  I think, maybe, Im just impatient... LOL. 

That, and I had to put a final allow line at the bottom...

Have you tried adding the single IP addresses with /32 subnet? So...

10.0.0.1/32

10.0.0.2/32

10.0.0.20/32

10.0.0.21/32

10.0.0.22/32

10.0.0.23/32

10.0.0.24/32

10.0.0.25/32

Its working.  The addresses were coming back after I cleared the cache.  I just had to wait it out.  Just impatient.  Sorry for the bum question!

  • 1 accepted solution
  • 4092 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!