We've been running into an issue with our User-ID Agent where it seems to not have enough discovered users but its also losing them randomly as well. Running User ID Agent version 4.1.4-3, we have it pointed at 5 DCs and it is picking up around 1500 users, but we are expecting there to be over 3000 users at any given time.
After doing some investigation, it appears that this may be a problem with the ignore_user_list functionality that is in place. We have 34 service accounts that are ignored, but the one that seems to be causing the issue is the service account for McAfee. This account connects to each machine periodically and get updated information about the AV status and this is picked up in the DC authentication logs. When this account does one of its checks though it seems to wipe out the existing user to ip mapping that it has previously discovered. If I disable the ignore_user_list, then we get 3500 entries in the mapping table, but most of these then point to the McAfee service account, not the currently logged in user.
I've also noticed that even though I have the mapping timeout set to 24 hours the count goes down as well as up, reinforcing the idea that something else is removing the mappings from the table. This is even after restarting the service to reset the timeout timer.
I thought if you entered a user into the ignore_user_list file, then it would just ignore logons from that user, not remove any existing mapping that is already in place? Can anyone confirm if this is expected behaviour or if its something wrong in our setup that's causing the issue.
Any help anyone can provide would be most appreciated
Solved! Go to Solution.
We experienced this issue a couple weeks ago after upgrading to User Agent 4.1.4-3. Support had us downgrade to 4.1.2-2 which resolved the issue.
My understanding is that the ignore_user_list functionality had changed so that the service account login was ignored but the existing mappings were removed. Similar to you, our AV service account was being detected by Palo Alto even though it was in the Ignore list and existing users were being removed, which was functionally different from previous versions. It took us a couple days to identify the same results you were seeing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!