03-07-2012 01:58 PM
Hi,
I have a problem where the 'User ID Exclude List' setting within the Zone setup on a Palo is not working.
I have set my UserID agents to collect events from all IP addresses, then want to filter them on the PA itself as this seems the most logical sequence. I initially only added the objects to the 'Include' list that I wanted to collect ID's from (Desktops) but it still pulled back user ID's from the servers, so I added specifi objects to the 'Exclude' section. This too failed. I have tried multiple combinations of include/excludes, using PA objects and direct IP subnets, and all fail - if the data is on the UserID agent cache, it is pulled into the firewall.
Has anyone else seen this? Am I misunderstanding this feature - even though the Help section is explicit in saying this is what it's for?
Cheers
03-07-2012 02:15 PM
Hi...After you enter the IPs into the Exclude List, did you commit for the change to take effect? Also, you may want to clear the user cache via the CLI.
admin@PA-2050> clear user-cache
> all Clear all ip to user cache in data plane
> ip Clear the specified ip to user cache in data plane
Thanks.
03-07-2012 02:37 PM
Thanks for the reply.
Yes, change committed on the Palo, user cache cleared via the CLI and Palo agents restarted for good measure.
None of the above stop IP addresses that are either explicitly excluded, nor implicity excluded, from being registered with the PA.
03-08-2012 04:01 PM
Please open a case with support to have it reviewed in more details. Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
