Palo Alto Ignore List and the Windows Run-As Command
You may run across a time when Window’s service accounts come across your Palo Alto FW taking over the logged in AD users credentials. The way around this is to use the Ignore List. What this basically does is remove what ever names you have in the Ignore List and prevents them from entering into the User-ID Mapping database. This database is basically an IP to User AD mapping. See below:
show user ip-user-mapping all :see all mappings
show user ip-user-mapping all | match :see a specific user mapping
kcordero@nyc-pa3050-inet_active(active)> show user ip-user-mapping all | match astevens
172.16.12.22 vsys1 AD cordero\smartin 86393 86393
172.16.17.55 vsys1 AD cordero\adminsmartin 85562 85562
172.16.12.145 vsys1 AD cordero\smartin 35099 35099
There are two places you can use the Ignore List.
1. On the FW (every firewall will need this)
2. On the server running an Agent
On the FW:
# set user-id-collector ignore-user domain_name\user_name :Single User
# set user-id-collector ignore-user [ domain_name\user_name1 domain_name\user_name2 domain_name\user_name3...] :Multiple Users
# show user-id-collector | match ignore
# show | match ignore
On the Agent Server:
1. Stop the User-ID service
In the Windows Services list (services.msc) right-click “User-ID Agent” and select “Stop”
2. Modify/create a file ignore_user_list.txt in the directory where User-ID Agent is installed.
Location: C:\Program Files (x86)\Palo Alto Networks\User-ID Agent
• This file will contain all the users to be ignored. (*case sensitive)
• The format of the file needs to be one username on each line
cordero\bgates (*again this is case sensitive and it needs to be ALL lower case)
3. Start the User-ID service
In the Windows Services list (services.msc) right-click “User-ID Agent” and select “Start”
You can verify if the list is working by going to the command prompt on the PA and run this command:
show user ip-user-mapping all | match kcordero
172.16.10.22 vsys1 UIA cordero\kcordero 84072 84072
If you see the same username that you have in the Ignore List show up in the command above, the Ignore List is not working and you need to troubleshoot why it’s not working.
You will see a “UIA” listed. This just means the name was pulled from a User-ID Agent. If you see “AD”, that just means the name was pulled from the agentless service.
Now we come to the “run-as” command. There are times or environments where end users need to do a “run-as” on specific applications. This will also cause an issue where the “run-as” user will override the local AD login credentials. You can do the same thing we did above or you can use a specific parameter in the applications shortcut.
The key here is the “/netonly” parameter. What basically happens when a user does a “run-as” is that that “run-as” user will take over the locally logged in AD user credentials by default. The parameter “/netonly” prevents this and will only use this user for remote access purposes for that specific application.