How to Configure Include/Exclude List for Agentless User-ID

How to Configure Include/Exclude List for Agentless User-ID

28456
Created On 09/25/18 17:46 PM - Last Modified 04/03/24 07:36 AM


Resolution


Overview

This document describes how to configure the include/exclude list in agentless User-ID. This feature can be used to exclude some subnet or IP addresses to block the user-IP mapping on the firewall.

 

By default, the Include/Exclude list means the User-ID Agent will create a IP to User mapping for any IP address found in the relevant security log events on each Domain Controller. When the entry is added to the Include/Exclude list, there is an implicit deny rule that will be added for any other IP address. The order of entries in the Include/Exclude list is very important because the list is processed in a top-down manner.

 

Steps

  1. Navigate to Device > User Identification > User Mapping.
  2. Click Add under Include/Exclude Networks and configure, as shown below.
    include list.JPG
  3. As shown in the examples below, Include/Exclude the Network Address 192.168.17.0/24 subnet:
    exclu.JPGinc.JPG
    incexc list.JPG
  4. Include all other IP address for mapping.

User-IP mapping will not occur for 192.168.17.0/24 subnet and the IP address from this network will act as a "Unknown".

Note: By default, User-ID evaluates the subnetworks in the order you add them, from top-first to bottom-last. To change the evaluation order, click "Custom Include/Exclude Network Sequence". You can then Add, Delete, Move Up, or Move Down the subnetworks to create a custom evaluation order.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJOCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language