05-17-2018 08:57 AM - edited 05-17-2018 09:17 AM
Hi All
Is it good practice to exlude all server subnets in exclude list as I believe we are not interested in administrators to IP mapping for servers?
What could be the user cases for exlcude list on firewall and user-id-agent?
05-17-2018 09:41 AM
This depends on the enviroment and your security structure. Most enviroments likely aren't going to utilize user-id mapping for generating security policies for their server VLAN; others will make it so that only specific service-accounts can access certain restricted machines on the network.
We currently restrict what different admin users can access while logged into a server; and what service-accounts actually have access to different resources depending on which one is being utilized at that time.
05-17-2018 09:41 AM
This depends on the enviroment and your security structure. Most enviroments likely aren't going to utilize user-id mapping for generating security policies for their server VLAN; others will make it so that only specific service-accounts can access certain restricted machines on the network.
We currently restrict what different admin users can access while logged into a server; and what service-accounts actually have access to different resources depending on which one is being utilized at that time.
05-17-2018 11:33 AM
@BPry thanks but do you have any use case where you are using exclude list on firewall or user-id-agent? I can think of like guest user subnet that are not authenticating through DC so we can exclude that subnet on firewall.
05-17-2018 12:32 PM
Are you talking about excluded networks in the user-id agent configuration or in the zone configuration on the firewall?
05-17-2018 01:22 PM
@Remo actually I am asking about both? what is the difference between two and use case of both. Thanks for the help
05-17-2018 04:07 PM
The exclude lists only have an effect if you configure also an include list entry. So the exclude entries are only for exclusion of a subset of the subnets specified in the include list. Specifying only exclude entries result in an exclusion of any network.
The difference between the user-id agent and zone config is ...
05-17-2018 05:16 PM
Thanks but do you have any use case in mind why we want to exclude certain subnets either at user-id-agent level or zone level on firewall?
05-17-2018 09:57 PM
So an example for this would be something along the ways of this.
Say that I'm using the same IP range across multiple different zones. For example my 'WSL' zone is 10.0.0.0/8 and I use this for all internal clients, however I also have a 'DOJ' zone on this firewall that also uses the same 10.0.0.0/8 IP range. In this scenario I'm likely going to want to exclude different subnets within that range on each zone. So on the Zone's User-ID configuration I might exclude 10.191.0.0/16 on 'WSL' since that's a GUEST network, but on 'DOJ' the GUEST network might be 10.172.0.0/16.
Likewise you could run into a situation where I have a shared IP range across multiple different zones similar to the above example, but they all fall within the same subnet. So for example if I had settled on all server addresses always using 10.191.190.0/24 within all of the different zones, and I didn't want to enable User-ID on the servers, I might use the User-ID Agent Exclude list to exclude 10.191.190.0/24 from all user-id collections across the enviroment.
Hopefully that helps a little bit.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
