Palo Alto Networks Knowledgebase: How the User-ID Agent Include/Exclude List Works
How the User-ID Agent Include/Exclude List Works
Created On 09/25/18 19:43 PM - Last Updated 08/05/19 20:36 PM
The Include/Exclude list is applied to networks and hosts identified through the User-ID Agent. The User-ID Agent tries to identify users for the IP range designated as Include. Likewise, the User-ID Agent does not identify users for the network address range designated as Exclude. Note that this is different from the user and group ignore lists, and is only concerned with which networks to include or exclude for the purposes of mapping users.
If the Include/Exclude list is empty, users on any network can be identified and mapped by the User-ID Agent. When an entry is added to the Include list, there is an implicit deny for any other IP address. The order of entries in the Include/Exclude list is important, as the list is processed top to bottom.
For example, to configure the exclusion of subnet (192.168.1.0/24) in the larger subnet (192.168.0.0/16):
Add a specific subnet 192.168.1.0/24 and designate as Exclude.
Add the larger, encompassing subnet 192.168.0.0/16 and designate as Include.
Note: If the rules in the above example were reversed with the Include rule on top, then the User-ID Agent would allow the mapping on 192.168.0.0/16 then disregard the Exclude rule for 192.168.1.0/24.