Using User-ID v4, how do I exclude users in certain groups?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using User-ID v4, how do I exclude users in certain groups?

Not applicable

In the old style v3 user-ID agent, I could exclude certain groups of users from being mapped. How do I do so in v4?

Background :

We have certain users in a department group "Infosys" who are being blocked from web browsing. It turns out they're launching an MS tool under administrative credentials and user-ID is matching their IP against this new credential. The policy only allows "infosys" users from browsing, so they're blocked.

The admin credential, called "sccm" is not in the "Infosys" group - it's in the "Sysuser" group. In the Palo Alto policy User Identication/Group Mappings, we've made sure that only Infosys is listed, not Sysuser, but as the IP mapping happens at the agent, it's already too late.

So, how do we replicate the v3 agent configuration of excluding certain group's members from ever being mapped?

Thanks!

p.s. if this doesn't exist any more, we'll just downgrade the agents to the v3 client, I suppose.

1 accepted solution

Accepted Solutions

Hi,

this behavior is a known Bug in User Agent 4.1.4 & 4.1.5

Although there is no hint in the Release Notes

it seems that User Agent 4.1.6 is working again.

(as far as i can see in my own tests yet)

Regards

Marco

View solution in original post

6 REPLIES 6

L5 Sessionator

Hello,

You can create/ modify ignore_user_list.txt file in the User-ID directory under the Palo Alto Networks Folder.

Here is the link which will guide through the process thoroughly:

https://live.paloaltonetworks.com/docs/DOC-2893

Thanks.

Very close, Kadak, thank for that - but still not quite working, sadly.

This ignore_users_list.txt does prevent the sccm user from being mapped to a given IP address, BUT the user agent now simply deletes the IP mapping instead. So I've got 192.168.1.10 mapped as neil.broadley in the User-ID agent and I can see that in the "Monitoring" tool. Then I launch my Windows system tool as the sccm user and... bam! My entry in User-ID is deleted, no mapping exists for my 192.168.1.10 (it vanishes in real time on the "Monitoring" tool) and since I'm not identified, I lose all my web browsing.

Any way to change that behaviour that you know of?

What specific version of the User-ID agent are you running?  4.1.(?).

This information will be very helpful in determining expected behavior.

thank you.

Hi,

this behavior is a known Bug in User Agent 4.1.4 & 4.1.5

Although there is no hint in the Release Notes

it seems that User Agent 4.1.6 is working again.

(as far as i can see in my own tests yet)

Regards

Marco

That is correct, there is a known issue with UID Agent 4.1.4 & 4.1.5 wherein the ignore_user_list was not properly observed.

This has been resolved with the release of UID Agent 4.1.6 and should not be an issue with UID Agent version 4.1.3 and earlier.

I've applied the 4.1.6 agent to both User-ID servers and updated the ignore_user_list.txt on each. This has resolved the problem. Not sure if this support group ignores, but user ignores will fix the present issue, so this thread is definitely closed. Thanks for your updates, everyone.

  • 1 accepted solution
  • 4555 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!