Palo Alto Ignore List and the Windows Run-As Command

You may run across a time when Window’s service accounts come across your Palo Alto FW taking over the logged in AD users credentials. The way around this is to use the Ignore List. What this basically does is remove what ever names you have in the Ignore List and prevents them from entering into the User-ID Mapping database. This database is basically an IP to User AD mapping. See below:

show user ip-user-mapping all :see all mappings
show user ip-user-mapping all | match   :see a specific user mapping
kcordero@nyc-pa3050-inet_active(active)> show user ip-user-mapping all | match astevens
172.16.12.22    vsys1  AD      cordero\smartin                 86393          86393
172.16.17.55    vsys1  AD      cordero\adminsmartin            85562          85562
172.16.12.145   vsys1  AD      cordero\smartin                 35099          35099

There are two places you can use the Ignore List.
1. On the FW (every firewall will need this)
2. On the server running an Agent

On the FW:
Add users:

> configure
# set user-id-collector ignore-user domain_name\user_name   :Single User                                                                                                                           
# set user-id-collector ignore-user [ domain_name\user_name1 domain_name\user_name2 domain_name\user_name3...] :Multiple Users

Verify:

> configure
# show user-id-collector | match ignore
# show | match ignore

On the Agent Server:
1. Stop the User-ID service
In the Windows Services list (services.msc) right-click “User-ID Agent” and select “Stop

2. Modify/create a file ignore_user_list.txt in the directory where User-ID Agent is installed.
Location: C:\Program Files (x86)\Palo Alto Networks\User-ID Agent
• This file will contain all the users to be ignored. (*case sensitive)
• The format of the file needs to be one username on each line

cordero\bgates (*again this is case sensitive and it needs to be ALL lower case)
cordero\sballmer
etc…

3. Start the User-ID service
In the Windows Services list (services.msc) right-click “User-ID Agent” and select “Start

You can verify if the list is working by going to the command prompt on the PA and run this command:

show user ip-user-mapping all | match kcordero
172.16.10.22    vsys1  UIA     cordero\kcordero                84072          84072

If you see the same username that you have in the Ignore List show up in the command above, the Ignore List is not working and you need to troubleshoot why it’s not working.

NOTE:
You will see a “UIA” listed. This just means the name was pulled from a User-ID Agent. If you see “AD”, that just means the name was pulled from the agentless service.

Now we come to the “run-as” command. There are times or environments where end users need to do a “run-as” on specific applications. This will also cause an issue where the “run-as” user will override the local AD login credentials. You can do the same thing we did above or you can use a specific parameter in the applications shortcut.

C:\Windows\System32\runas.exe /netonly /user:cordero\coradmin "C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsa.exe"

or

runas /netonly /user:cordero\coradmin "C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsa.exe"

The key here is the “/netonly” parameter. What basically happens when a user does a “run-as” is that that “run-as” user will take over the locally logged in AD user credentials by default. The parameter “/netonly” prevents this and will only use this user for remote access purposes for that specific application.

More Stories
Microsoft Windows Server with Multiple IPs Assigned to a Single Interface