I've got an installation with approx 70k+ users, where user-id is an important factor. I want to ignore all user with prefix adm or svc in the user name(admin and service accounts) from user-id, to avoid getting unwanted ip-user-mappings. I have the option to both use agentless and agent on windows server. There are so many admin and service accounts, that adding one by one in a txt file or in the cli on the fw simply isn't an option.
I've searched a lot for this both in articles here and the admin guides, but I can't find a good solution. Does anybody have a smart way to solve this issue? I.e. scripting or something else?
Any input would be appreciated, as this is really becoming a pain...
The LDAP search string for this is quite easy:
This filter can be used under User Identification -> Group Mapping -> Server Profile -> User objects
The User-ID Best Practice guide also says:
"The Group Include List can then be used to filter which groups from the LDAP servers are displayed in the Firewall Policy Interface. This also filters which users are tracked in the firewall logs. If a user does not belong to one of these groups, the firewall will not record the users name in the various logs."
Is this helpful for you?
Nice to know, but it's unfortunately not what I'm looking for. This would help in narrowing down the ldap part of user-id (group-mapping), but not the IP-user-mapping part.
I need a way to filter away ip-user-mappings containing a prefix(i.e. adm or svc). Using the ignore_user_list.txt in agent or "set user-id-collector ignore-user" in agentless does not scale in a large environment.
you can try using a tool like powershell and save the output in a text file (be careful with that amount of users can impact the server performance)
After checking the correct name format you just rename the file 'ignore_user_list.txt' and put it in the Installation agent folder. This can be a workaround, because of your many users this could impact the User agent performance (better to run it in a dedicated server) and also I couldn't find the maximum excluded users the file can contain.
I advise you to contact your SE to create a feature request to filter out user to IP mapping based on wildcards.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!