How to Ignore Users in User-ID

How to Ignore Users in User-ID

97825
Created On 09/25/18 20:40 PM - Last Modified 03/21/24 00:24 AM


Symptom


When using the User-ID Agent to identify users on the network, there is a way to ignore certain users. Generally, this is used for service accounts and PC hostnames, but any desired username can be entered. The user must be ignored by the User-ID agent or firewall that first learns of the mapping. The ignore list will not work for username mappings learned from other User-ID agents or firewalls.

Environment


  • PAN-OS 7.1 and above.
  • Windows User-ID Agent.
  • Integrated User-ID Agent.


Resolution


 

  1. Stop the User-ID service
  2. Modify/create a file ignore_user_list.txt in the directory where User-ID Agent is installed.
    • This file will contain all the users to be ignored.
    • Usernames patterns with wildcard * can also be used.
    • Wildcard character * can only be used once per line and must be the last character if used.
    • The format of the file needs to be one username or wildcard pattern on each line.
      Note: It is sometimes required to have two entries for each username, the normal username and the username with netbios name. Examples:
      • user1
      • mydomain\user1
      • svc_account*
      • mydomain\svc_account*
      • pchost*
      • mydomain\pchost*
      • undesireabledomain1\*
  3. Start the User-ID service.
Please also refer to the knowledge base below: 
How to Create Ignore_User_List with Special Characters in User-ID agent
 

Starting from PAN-OS 7.1 the ignore user list can also be configured for the Agentless User-ID through the WebUI. 

ignore-user-list

 


 

 



Additional Information


How to Add/Delete Users from Ignore User List using Agentless User-ID



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000Clkl&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail

Choose Language