Palo Alto Networks Knowledgebase: How the User-ID Agent Include/Exclude List Works

How the User-ID Agent Include/Exclude List Works

6570
Created On 08/05/19 20:23 PM - Last Updated 08/05/19 20:36 PM
User-ID
Resolution

Overview

The Include/Exclude list is applied to networks and hosts identified through the User-ID Agent.  The User-ID Agent tries to identify users for the IP range designated as Include.  Likewise, the User-ID Agent does not identify users for the network address range designated as Exclude.  Note that this is different from the user and group ignore lists, and is only concerned with which networks to include or exclude for the purposes of mapping users.

 

Details

If the Include/Exclude list is empty, users on any network can be identified and mapped by the User-ID Agent.  When an entry is added to the Include list, there is an implicit deny for any other IP address.  The order of entries in the Include/Exclude list is important, as the list is processed top to bottom.

 

For example, to configure the exclusion of subnet (192.168.1.0/24) in the larger subnet (192.168.0.0/16):

  1. Add a specific subnet 192.168.1.0/24 and designate as Exclude.
  2. Add the larger, encompassing subnet 192.168.0.0/16 and designate as Include.

    Screen Shot 2013-02-13 at 3.47.38 PM.png

Note: If the rules in the above example were reversed with the Include rule on top, then the User-ID Agent would allow the mapping on 192.168.0.0/16 then disregard the Exclude rule for 192.168.1.0/24.

 

See Also

How to Change the Include and Exclude Lists with User-ID Agent 4.1

 

owner: mbutt



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbkCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language