PAN AD Useragent - Excluding users?

dagibbs · ‎11-14-2010

Hi.

Is it possible to exclude a specific user from the PAN agent configuration?

I know you can filter based on group - unfortunately, the user concerned, which is used for several automated processes, is also a member of AD groups which I can't exclude, so it gets reported every time it runs a background process - which is skewing reporting, as this task used reports a lot of traffic when it's not actually the user logged on the PC.

Can you tell the agent to specifically NOT report a user mapping for this user somehow?

Thanks

will2097 · ‎11-14-2010

Hi,

that's a nice easy one.

You can tell the User-ID Agent to ignore that particular user account. To do this, create a file called “ignore_user_list.txt” in the directory in
which the User-ID Agent was installed (typically c:\Program Files\Palo Alto Networks\PanAgent). Put in that file the name of the service account that you want the User-ID Agent to ignore.

I hope that helps,

All the best,

Will

View solution in original post

will2097 · ‎11-14-2010

Hi,

that's a nice easy one.

You can tell the User-ID Agent to ignore that particular user account. To do this, create a file called “ignore_user_list.txt” in the directory in
which the User-ID Agent was installed (typically c:\Program Files\Palo Alto Networks\PanAgent). Put in that file the name of the service account that you want the User-ID Agent to ignore.

I hope that helps,

All the best,

Will

dagibbs · ‎11-15-2010

Will.

thanks. I knew there was a way to do it, but I couldn't remember HOW - checked every option in the User agent GUI, but forgot about the text control files.

Working a treat now - appreciate your help.

Cheers.

mhuels · ‎12-09-2010

In which form does the agent estimate the items of the listfile?

Do i have to put the Active Directory Domain in front of the user?

Example:

if "win" is the name of the Active Directory Domain and "user" is the username

win\user

or

win/user

or

user

?

I guess, multiple user has to inserted in different lines?

After which time, the excluding list will fire?

odaos · ‎12-09-2010

Hello,

You will have to put the Active Directory Domain in front of the user. (domain/user)

dagibbs · ‎12-09-2010

mhuels wrote:

In which form does the agent estimate the items of the listfile?

Do i have to put the Active Directory Domain in front of the user?

Example:

if "win" is the name of the Active Directory Domain and "user" is the username

win\user

or

win/user

or

user

?

I guess, multiple user has to inserted in different lines?

After which time, the excluding list will fire?

Just

user

one username per line. The name of the file is "ignore_user.txt", and it needs to be put into the same directory as the "PanAgentService" executable.

Once you create this file, you must stop/start (or restart) the PanAgent service for it to take effect.

Cheers

mhuels · ‎12-10-2010

neither win/user in ignore_user_list.txt nor user in ignore_user.txt works.

Nothing to see about "ignore group or user" in the logfiles. I have the impression, the agent ignores the lists

ignore_user_list.txt

ignore_group_list.txt

allow_groups.txt

totally.

I will try to elevate the debug-level.

James · ‎12-10-2010

Hi There

The file is definitely ignore_user_list.txt

It is definitely just "user", no domain required

If it is not working, please make sure the file is in the User-ID Directory - normally in program files. Also, make sure the service has been restarted.

Thanks

James

mhuels · ‎12-10-2010

After i put "user" in "ignore_user_list.txt", the agent gui did not show "user" anymore. But in the PA-logviewer some "user" still remains. If testing the shown source-ip in the agent gui with "Get IP Information", the gui says "_unknown_". It seems to be, the PA does not accept "_unknown_" and presents instead of this the last known username.

I hope, till next monday is time enough for the firewall to time out the old rememberings. Perhaps i have to reboot the PA firewall?

James · ‎12-10-2010

Sounds like the user is in the cache.

Try this command to clear the offending IP:

jsherlow@PA-4050> clear user-cache ip
<ip/netmask> <x.x.x.x/y>

Thanks

James

mhuels · ‎12-10-2010

Mmh.

mhuels@mi2-pan2(active)> show clock

Fri Dec 10 15:43:25 CET 2010

mhuels@mi2-pan2(active)> show user ip-user-mapping ip 10.24.4.25

IP address: 10.24.4.25
User:        unknown
Ident. By:   UNKNOWN
Idle Timeout: 2527s
Max. TTL:    5527s
Groups that user belong to (used in policy)

The Logviewer shows nevertheless an user. Please look at the attachement.

James · ‎12-10-2010

Hmmm, indeed I agree that is somewhat strange.

At this point, we'l probably need to jump on your box. Please can you log a support case?

Thanks

James

dagibbs · ‎12-12-2010

jsherlow wrote:

Hi There

The file is definitely ignore_user_list.txt

It is definitely just "user", no domain required

If it is not working, please make sure the file is in the User-ID Directory - normally in program files. Also, make sure the service has been restarted.

Thanks

James

Sorry, my bad - the stupid Win2008 server I have the agent installed on is configured with the equally stupid windows default of hiding extensions, and my brain parsed the _list bit as the extension.

Yes, I have ignore_users_list.txt, and it works fine for me.

Apologies for the misleading post.

James · ‎12-12-2010

All's well that ends well

kazjak · ‎03-14-2011

Any plans to add Active Directory support for the ignore user list? We have more than a thousand computers working in a kiosk mode that have the "logged in acct" being ignored. We'd love to be able to pass off that admin piece to our NA's but the agent won't parse out users in an ignore group.. We are running 3 Agents and are getting tired of adding a user and restarting services each time an acct is created.

Thanks!

Unlock your full community experience!

PAN AD Useragent - Excluding users?

PAN AD Useragent - Excluding users?

Show your appreciation!