Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-15-2015 02:23 PM
you can try to exclude that PC's IP under User ID Agent >>> Discovery >>> Include/Exclude Networks.
Add Exclude Specified Network >>> configure the PC IP addr with /32 mask.
Check if that works.
Regards,
Rahul Singh
04-14-2015 11:32 AM
Hi senspersons
I guess that this is Windows server with some service running with user account. In the example it is "scott".
You can tell the User-ID Agent to ignore that particular user account. To do this, create a file called “ignore_user_list.txt” in the directory in
which the User-ID Agent was installed (typically c:\Program Files\Palo Alto Networks\PanAgent). Put in that file the name of the service account that you want the User-ID Agent to ignore.
the ignore_user_list.txt file requires one user name per line with no domain preprend.
e.g.
joesmith
janedoe
administrator
av-admin
Also, you may want to clear the user cache via the CLI.
admin@PA-2050> clear user-cache
> all Clear all ip to user cache in data plane
> ip Clear the specified ip to user cache in data plane
Regards
Slawek
04-14-2015 01:30 PM
Kindly go through the following docs,
How to Ignore Users in User-ID Agent
https://live.paloaltonetworks.com/docs/DOC-2893
How to Add/Delete Users from Ignore User List using Agentless User-ID
https://live.paloaltonetworks.com/docs/DOC-4278
How to Clear User-to-IP Mapping for an Ignored User and Verify it is Working
https://live.paloaltonetworks.com/docs/DOC-6107
Regards,
Rahul
04-14-2015 03:02 PM
Thank you, that was exactly what I was looking for.
I ran these commands -
clear user-cache ip 10.0.36.15
clear user-cache all
clear user-cache-mp ip 10.0.36.15
clear user-cache-mp all
And when I run show user ip-user-mapping ip 10.0.36.15 it still shows the user being mapped to that system -
IP address: 10.0.36.15 (vsys1)
User: xxxxx\xscott
From: UIA
Idle Timeout: 1552s
Max. TTL: 1552s
Groups that the user belongs to (used in policy)
Group(s): cn=xxxx,ou=paloalto,ou=groups,ou=xxxxxx,dc=xxxxx,dc=local
Any ideas why the user isn't being cleared from that machine?
Thanks,
Sean
04-15-2015 01:17 AM
Hi
Did You create a file called “ignore_user_list.txt” in the directory inwhich the User-ID Agent was installed with "xscott" inside?
Regards
Slawek
04-15-2015 04:57 AM
Also, make sure you following command first to clear the mapping from MP,
clear user-cache-mp all
Then run,
clear user-cache all
DP learns the mapping from MP. Sometimes, if you clear DP first, and before you clear MP, it will be pushed again from MP to DP. So it is always better to clear from MP, then from DP.
Regards,
Rahul Singh
04-15-2015 01:41 PM
I have added the ignore_user_list.txt into the User-ID Agent folder and have the user both with and without the domain prepended. domain\username and username on separate lines. I also ran the clear user-cache-mp all command first then the clear user-cache all. When I run show user ip-user-mapping ip 10.0.36.15, it still shows the user. Not sure whats going on but it doesn't want to clear the user out from the machine... Any ideas on something else I can try?
Thanks,
Sean
04-15-2015 01:51 PM
You need to clear the user from User-ID agent first.
User-ID Agent >>> Monitoring >>> Discovered Users,
Look for the user and delete it.
Then delete MP cache and DP cache.
Regards,
Rahul Singh
04-15-2015 01:55 PM
I just tried clearing it from the User-ID Agent and the name came back within roughly 5 seconds. At this point I'm beginning to think its a bug of some sort... Why does the computer/agent think that user is logged into the 10.0.36.15 machine when no body is?
04-15-2015 01:58 PM
Can you check if WMI probing is enabled on User ID Agent? If it is enabled, disable it.
04-15-2015 02:02 PM
Make sure you disable the service first, make the changes, commit, start the service.
04-15-2015 02:04 PM
One more thing, make sure you have created the file with proper extension.
It should not be the ignore_user_list.txt.txt
Make sure you uncheck the option "Hide extensions" under windows folder options
04-15-2015 02:11 PM
That seems to have fixed it. After I disabled WMI probing, and cleared the cache the user is no longer listed for DNS traffic.
Is there a way to ignore that particular machine from ever reporting a user? I'd still like to see the user's traffic, just not for that machine... No sure how to go about that...
04-15-2015 02:23 PM
you can try to exclude that PC's IP under User ID Agent >>> Discovery >>> Include/Exclude Networks.
Add Exclude Specified Network >>> configure the PC IP addr with /32 mask.
Check if that works.
Regards,
Rahul Singh
04-16-2015 08:34 AM
The agent accepted the /32 however the user is showing up in the traffic log for DNS again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
