Palo Alto User-ID Ignore List Notes

There are times you’ll want to create an ignore list on the Palo Alto. Basically what this is doing it telling the Palo Alto FW to NOT add these users to the User-ID mapping database. Why would you do this? I’ll give you a couple of my exmples as to why I had to use an ignore list.

1. Service Accounts on the PC
2. Users with two AD Accounts for security reasons

First issue, there was a service account running on everyones PC for backup jobs. There was actually another one which I can’t recall at the moment. Everytime time this jobs runs, it gets logged in AD with this service account name and now it shows up in the Palo Alto user-id mapping database. Palo is going to use the most up-to-date user in it’s database. So now when the users PC’s goes to access something over the internet, the service account shows up instead of the regular AD user-id. This obviously creates an issue now when the user goes out to the internet because the rules are configured to user their regular AD user account and not that service account. All service accounts should be added to the user-ignore list. They should never have direct access over internet anyway.

Second issue was when we restricted user roles in AD. So we had seperate accounts for Domain Admin users. They can only use these accounts when they needed them to do their tasks. The issue is the same, these user-id’s will now come accross the firewall instead of their regular AD user-id’s. A way around this, is to use the ignore list.

There are several ways to do this. One is on the the FW directly. They actually didn’t have this option when we went to implement it but now they do. The other is when you use User-ID Agent servers, there’s a text file on that server you need to edit. It’s real easy, all you do is edit this file and restart the app service. I’ll blog about this in the near future. Depending on the size of your environment, you will need to use these servers instead of the Firewall. We had to have serveral servers because of the amount of traffic we had.

Here are some notes:

Usernames are CASE SENSITIVE. You need to confirm this by issuing the command: show user ip-user-mapping all

Step 1: Add/Delete Single and/or Multiple Users
> configure

Add a single user:
# set user-id-collector ignore-user cordero\dakcordero

Add multiple users:
# set user-id-collector ignore-user [ cordero\dakcordero cordero\svc-backup ]

Delete a single user:
# delete user-id-collector ignore-user cordero\dakcordero

Delete multiple users:
# delete user-id-collector ignore-user [ cordero\dakcordero cordero\svc-backup ]

Step 2: Commit the changes on the Primary Firewall
# commit

kcordero@tpa-pa3050-inet_active(active)# commit
....55%.98%.......100%
Configuration committed successfully
vsys1 (vsys1)
(Module: device)

Verify:
A way to verify this worked is to look at the ip-user-mappings. The user name should NOT show up here.

show user ip-user-mapping all | match

kcordero@idc-pa3050-inet_active(active)> show user ip-user-mapping all | match dakcordero
172.16.2.22    vsys1  AD      cordero\astevens                86393          86393
172.16.1.55    vsys1  AD      cordero\pastevens               85562          85562
172.16.25.12   vsys1  AD      cordero\astevens                35099          35099

Look at the ignore list:
> configure
# show user-id-collector | match ignore
# show | match ignore

To delete ALL users from the ignore-user list:
> configure
# delete user-id-collector ignore-user
# commit