PAN AD Useragent - Excluding users?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN AD Useragent - Excluding users?

L4 Transporter

Hi.

Is it possible to exclude a specific user from the PAN agent configuration?

I know you can filter based on group - unfortunately, the user concerned, which is used for several automated processes, is also a member of AD groups which I can't exclude, so it gets reported every time it runs a background process - which is skewing reporting, as this task used reports a lot of traffic when it's not actually the user logged on the PC.

Can you tell the agent to specifically NOT report a user mapping for this user somehow?

Thanks

29 REPLIES 29

Hi,

Just to clarify, but are you asking if there's a way to 'auto' populate the ignore user list via AD?

We'd like to have an AD group called something like Pan-user-ignore group.  All the user accts that we don't want the angent to monitor would go in this group.  Then our Admins could add the user to the group as part of the account creation process.  Currently the Admin has to give me the username, I have to append the ignore_user_list.txt and restart the services on all my agents to force the changes.

in a nut shell, we have a kiosk machine that is always logged in.  Any user with internet access can launch an app, enter their credentials and browse the web as themselves.  When the app closes it sends another security event changing the agents user to a "nobody" account. We have to ignore the kiosk acct otherwise during the users browsing experience the pc will send security events on behalf of the kiosk acct which switches the agent back to the kiok acct (which has limited browsing access).

Hi Kazjak

you should be able to add these users to that group and then add that group to the "ignore group" in panagent

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

kazjak wrote:

We'd like to have an AD group called something like Pan-user-ignore group.  All the user accts that we don't want the angent to monitor would go in this group.  Then our Admins could add the user to the group as part of the account creation process.  Currently the Admin has to give me the username, I have to append the ignore_user_list.txt and restart the services on all my agents to force the changes.

in a nut shell, we have a kiosk machine that is always logged in.  Any user with internet access can launch an app, enter their credentials and browse the web as themselves.  When the app closes it sends another security event changing the agents user to a "nobody" account. We have to ignore the kiosk acct otherwise during the users browsing experience the pc will send security events on behalf of the kiosk acct which switches the agent back to the kiok acct (which has limited browsing access).

Create your AD group, add your users to it, and add the group to the file "ignore_group_list.txt' in the PAN agent directory.

Restart your agent, and then you can simply add additional users to the AD group and never have to tweak the agent again.

Mine are in the format "domain\group" and they work fine.

Cheers.

I figured out where I went wrong...  I realized that when I checked the "Group Information" on my new group it wasn't parsing the user.  Even though the user was not going to be added to any of the filter groups I still needed to add the new group as a filter group member before it would recognize the new AD group.

One thing that I've found (we use "kiosk" machines logged in with an AD account set to be ignored) is that if a user with a "normal" (i.e.: not ignored) AD account logs in to the computer and then logs out that "normal" account is cached in perpetuity because the "ignored" account login record ont he domain controller is ignored.

Ex.:  PC Kiosk1  and AD domain account "ignored1" set to ignore (via AD group memership and adding that group in User agent as ignore group), therefore can force a captive portal authentication to ensure appropriate access of web is given to whomeever may use that PC (without logging in/out). PC support tech JDOE logs in to PC (CTL-ALT-DEL, login, etc..) does his thing and logs out. IGnored1 logs in but now all Intenet activity from that PC and the Intenet access permissions are the ones that JDOE had. The IP to user cache for KIOSK1 is not cleared out.

Maybe bad form, but I'm bumping this as I would like input from more knowledgable folks on the problem described - the permanent caching of a "good" account on computers that are kiosk mode and logged in with "ignored" accounts.  See example below:

PC Kiosk1  and AD domain account "ignored1" set to ignore (via AD group memership and adding that group in User agent as ignore group), therefore can force a captive portal authentication to ensure appropriate access of web is given to whomeever may use that PC for Internet access (without logging in/out of the PC itself). PC support tech JDOE logs in to PC (CTL-ALT-DEL, login, etc..) does his thing and logs out. IGnored1 account is used to login but now all Intenet activity from that PC and the Intenet access permissions are the ones that JDOE had. The IP to user cache for KIOSK1 is not cleared out.

Any solutions to this problem?

Thanks!

John

We use a home grown app that users have to authenticate with to access the internet.  There is a child process running that waits for the user to close IE.   When the browser closes we send a security event with a generic "logged" user so that the PAN knows the user context has changed.  We also have a Single Sign On solution that works roughly the same.  you just need to find a way to send a security event to the domain controllers when the user walks away.

L0 Member

Sorry for the bump, but in addition to this.

Is it possible to use wildcards or regexps for ignoring users?

In our situation we have a lot of users who have a second account to do administrative tasks (runas), this second username is starting with "a_".

It would be nice if I can just add "domain\a_*" to the ignore list. (tried it, but it didn't work Smiley Sad)

Is there another way, besides create a group and add all this users to this group, in my opinion this is more a workaround then a solution. Thanks in advance.

the ignore_user_list.txt file does not support the use of the domain prepend, wildcards or regex.

If you would like to see this feature added to the user identification feature please talk to your sales team so that they can file a feature request on your behalf.

the ignore_user_list.txt file requires one user name per line with no domain preprend.

e.g.

joesmith

janedoe

administrator

av-admin

How long does it take the user information to age out of the firewall itself?

I added a system account to the ignore_user_list.txt file and while the user agent is no longer visible when I retrieve the IP listing in the UIA application, when I log into the firewall and issue a show user pan-agent user-IDs match-user systemaccountname command, it still appears. 

I performed this action about 14 or 15 hours ago, so I figured that it would have aged out of the firewalls by now.

Any help would be appreciated!

You should be able to simply use 'Ignore group' option within user agent and keep adding groups there.

Agent will not read those groups.

The default is 45 min but check config.xml under user agent directory - if its configured incorrecty it will never time out.

The agent should be restarted.

You can check group cache options under PAN agent to see the timers you configured.

Is there a way , that we can use *\username in the security policy in palo alto.

we could see traffic from different domain for the same user ID . so if we can use *\username it can eliminate this problem.

Not sure if Palo alto allow adding this format to the security policy.

  • 14273 Views
  • 29 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!