Hi, I have a problem where the 'User ID Exclude List' setting within the Zone setup on a Palo is not working. I have set my UserID agents to collect events from all IP addresses, then want to filter them on the PA itself as this seems the most logical sequence. I initially only added the objects to the 'Include' list that I wanted to collect ID's from (Desktops) but it still pulled back user ID's from the servers, so I added specifi objects to the 'Exclude' section. This too failed. I have tried multiple combinations of include/excludes, using PA objects and direct IP subnets, and all fail - if the data is on the UserID agent cache, it is pulled into the firewall. Has anyone else seen this? Am I misunderstanding this feature - even though the Help section is explicit in saying this is what it's for? Cheers
... View more