How to Ignore Users in User-ID
116935
Created On 09/25/18 20:40 PM - Last Modified 02/19/25 19:46 PM
Objective
When using the User-ID Agent to identify users on the network, there is a way to ignore certain users. Generally, this is used for service accounts and PC hostnames, but any desired username can be entered. The user must be ignored by the User-ID agent or firewall that first learns of the mapping. The ignore list will not work for username mappings learned from other User-ID agents or firewalls.
Environment
- Palo Alto Firewalls
- Supported PAN-OS versions
- Windows User-ID Agent
- PAN-OS Integrated User-ID Agent
Procedure
-
Stop the User-ID service
- Modify/create a file ignore_user_list.txt in the directory where User-ID Agent is installed.
- This file will contain all the users to be ignored.
- Usernames patterns with wildcard * can also be used.
- Wildcard character * can only be used once per line and must be the last character if used.
- Usernames with special characters can also be used. Please refer to this article: How to Create Ignore_User_List with Special Characters in User-ID agent
- The format of the file needs to be one username or wildcard pattern on each line.
Note: It is sometimes required to have two entries for each username, the normal username and the username with netbios name. Examples:- user1
- mydomain\user1
- svc_account*
- mydomain\svc_account*
- pchost*
- mydomain\pchost*
- undesireabledomain1\*
- Start the User-ID service.
The ignore user list can also be configured for the PAN-OS Integrated (Agentless) User-ID through the WebUI:
Additional Information
How to Add/Delete Users from Ignore User List using Agentless User-ID