There are times you’ll want to create an ignore list on the Palo Alto. Basically what this is doing it telling the Palo Alto FW to NOT add these users to the User-ID mapping database. Why would you do this? I’ll give you a couple of my exmples as to why I had to use an ignore list.
1. Service Accounts on the PC
2. Users with two AD Accounts for security reasons
First issue, there was a service account running on everyones PC for backup jobs. There was actually another one which I can’t recall at the moment. Everytime time this jobs runs, it gets logged in AD with this service account name and now it shows up in the Palo Alto user-id mapping database. Palo is going to use the most up-to-date user in it’s database. So now when the users PC’s goes to access something over the internet, the service account shows up instead of the regular AD user-id. This obviously creates an issue now when the user goes out to the internet because the rules are configured to user their regular AD user account and not that service account. All service accounts should be added to the user-ignore list. They should never have direct access over internet anyway.
Second issue was when we restricted user roles in AD. So we had seperate accounts for Domain Admin users. They can only use these accounts when they needed them to do their tasks. The issue is the same, these user-id’s will now come accross the firewall instead of their regular AD user-id’s. A way around this, is to use the ignore list.
There are several ways to do this. One is on the the FW directly. They actually didn’t have this option when we went to implement it but now they do. The other is when you use User-ID Agent servers, there’s a text file on that server you need to edit. It’s real easy, all you do is edit this file and restart the app service. I’ll blog about this in the near future. Depending on the size of your environment, you will need to use these servers instead of the Firewall. We had to have serveral servers because of the amount of traffic we had.
Here are some notes:
Usernames are CASE SENSITIVE. You need to confirm this by issuing the command: show user ip-user-mapping all
Step 1: Add/Delete Single and/or Multiple Users
Add a single user:
# set user-id-collector ignore-user cordero\dakcordero
Add multiple users:
# set user-id-collector ignore-user [ cordero\dakcordero cordero\svc-backup ]
Delete a single user:
# delete user-id-collector ignore-user cordero\dakcordero
Delete multiple users:
# delete user-id-collector ignore-user [ cordero\dakcordero cordero\svc-backup ]
Step 2: Commit the changes on the Primary Firewall
kcordero@tpa-pa3050-inet_active(active)# commit ....55%.98%.......100% Configuration committed successfully vsys1 (vsys1) (Module: device)
A way to verify this worked is to look at the ip-user-mappings. The user name should NOT show up here.
show user ip-user-mapping all | match
kcordero@idc-pa3050-inet_active(active)> show user ip-user-mapping all | match dakcordero 172.16.2.22 vsys1 AD cordero\astevens 86393 86393 172.16.1.55 vsys1 AD cordero\pastevens 85562 85562 172.16.25.12 vsys1 AD cordero\astevens 35099 35099
Look at the ignore list:
# show user-id-collector | match ignore
# show | match ignore
To delete ALL users from the ignore-user list:
# delete user-id-collector ignore-user