10-09-2012 03:34 AM
In the old style v3 user-ID agent, I could exclude certain groups of users from being mapped. How do I do so in v4?
Background :
We have certain users in a department group "Infosys" who are being blocked from web browsing. It turns out they're launching an MS tool under administrative credentials and user-ID is matching their IP against this new credential. The policy only allows "infosys" users from browsing, so they're blocked.
The admin credential, called "sccm" is not in the "Infosys" group - it's in the "Sysuser" group. In the Palo Alto policy User Identication/Group Mappings, we've made sure that only Infosys is listed, not Sysuser, but as the IP mapping happens at the agent, it's already too late.
So, how do we replicate the v3 agent configuration of excluding certain group's members from ever being mapped?
Thanks!
p.s. if this doesn't exist any more, we'll just downgrade the agents to the v3 client, I suppose.
10-22-2012 03:22 AM
Hi,
this behavior is a known Bug in User Agent 4.1.4 & 4.1.5
Although there is no hint in the Release Notes
it seems that User Agent 4.1.6 is working again.
(as far as i can see in my own tests yet)
Regards
Marco
10-09-2012 08:02 AM
Hello,
You can create/ modify ignore_user_list.txt file in the User-ID directory under the Palo Alto Networks Folder.
Here is the link which will guide through the process thoroughly:
https://live.paloaltonetworks.com/docs/DOC-2893
Thanks.
10-10-2012 02:36 AM
Very close, Kadak, thank for that - but still not quite working, sadly.
This ignore_users_list.txt does prevent the sccm user from being mapped to a given IP address, BUT the user agent now simply deletes the IP mapping instead. So I've got 192.168.1.10 mapped as neil.broadley in the User-ID agent and I can see that in the "Monitoring" tool. Then I launch my Windows system tool as the sccm user and... bam! My entry in User-ID is deleted, no mapping exists for my 192.168.1.10 (it vanishes in real time on the "Monitoring" tool) and since I'm not identified, I lose all my web browsing.
Any way to change that behaviour that you know of?
10-19-2012 05:16 PM
What specific version of the User-ID agent are you running? 4.1.(?).
This information will be very helpful in determining expected behavior.
thank you.
10-22-2012 03:22 AM
Hi,
this behavior is a known Bug in User Agent 4.1.4 & 4.1.5
Although there is no hint in the Release Notes
it seems that User Agent 4.1.6 is working again.
(as far as i can see in my own tests yet)
Regards
Marco
11-29-2012 11:03 AM
That is correct, there is a known issue with UID Agent 4.1.4 & 4.1.5 wherein the ignore_user_list was not properly observed.
This has been resolved with the release of UID Agent 4.1.6 and should not be an issue with UID Agent version 4.1.3 and earlier.
12-06-2012 04:00 AM
I've applied the 4.1.6 agent to both User-ID servers and updated the ignore_user_list.txt on each. This has resolved the problem. Not sure if this support group ignores, but user ignores will fix the present issue, so this thread is definitely closed. Thanks for your updates, everyone.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
