This document describes how to configure the include/exclude list in agentless User-ID. This feature can be used to exclude some subnet or IP addresses to block the user-IP mapping on the firewall.
By default, the Include/Exclude list means the User-ID Agent will create a IP to User mapping for any IP address found in the relevant security log events on each Domain Controller. When the entry is added to the Include/Exclude list, there is an implicit deny rule that will be added for any other IP address. The order of entries in the Include/Exclude list is very important because the list is processed in a top-down manner.
Steps
Navigate to Device > User Identification > User Mapping.
Click Add under Include/Exclude Networks and configure, as shown below.
As shown in the examples below, Include/Exclude the Network Address 192.168.17.0/24 subnet:
Include all other IP address for mapping.
User-IP mapping will not occur for 192.168.17.0/24 subnet and the IP address from this network will act as a "Unknown".
Note: By default, User-ID evaluates the subnetworks in the order you add them, from top-first to bottom-last. To change the evaluation order, click "Custom Include/Exclude Network Sequence". You can then Add, Delete, Move Up, or Move Down the subnetworks to create a custom evaluation order.