Include or Exclude Subnetworks for User Mapping
- Device > User Identification > User Mapping
Use the Include/Exclude Networks list to configure the rules that define which subnetworks the User-ID agent will include or exclude when collecting IP address-to-username mappings. By default, if the list is empty, the User-ID agent collects mappings for user identification sources in all subnetworks using any collection method that you configured. The exception is when using the WMI probing method for client systems that have public IPv4 addresses. (Public IPv4 addresses are those outside the scope of RFC 1918 and RFC 3927). To enable WMI probing for public IPv4 addresses, you must configure Include rules for the subnetworks where those addresses reside.
The User-ID agent applies an implicit exclude all rule to the list. For example, if you add an Include rule for subnetwork 10.0.0.0/8, the User-ID agent excludes all other subnetworks even if you don’t add Exclude rules for them. Add Exclude rules only if you want the User-ID agent to exclude a subset of the subnetworks specified in an Include rule. For example, if you add an Exclude rule for 10.2.48.0/22 and add an Include rule for 10.0.0.0/8, the User-ID agent will collect mappings from all the subnetworks of 10.0.0.0/8 except 10.2.48.0/22, and will exclude all subnetworks outside of 10.0.0.0/8. If you add Exclude rules without adding any Include rules, the User-ID agent excludes all subnetworks, not just the ones you added.
By default, when determining whether to collect user mapping information for a particular user identification source, the User-ID agent evaluates the rules from top to bottom in the order that the Include/Exclude Networks list displays them. The User-ID agent includes or excludes the source based only on the first rule that matches that source to a subnetwork; the agent does not evaluate any subsequent rules. This means you must list the rules from top to bottom in the order of most to least restrictive. For example, because the 10.2.48.0/22 subnetwork is a subset of the 10.0.0.0/8 subnetwork, you would add an Exclude rule for 10.2.48.0/22 above an Include rule for 10.0.0.0/8 to ensure that the User-ID agent skips mapping collection for any 10.2.48.0/22 sources. If you need to change the evaluation order after adding rules, you can create a Custom Include/Exclude Network Sequence.
If you configure the firewall to redistribute user mapping information to other firewalls, the limits you specify in the Include/Exclude Networks list will apply to the redistributed information.
You can perform the following tasks on the Include/Exclude Networks list:
To limit user mapping collection to a specific subnetwork or to exclude a specific subnetwork, Add a rule to the list and complete the following fields:
To remove a rule from the list, select and Delete it.
To disable a rule without removing it, edit the rule and clear Enabled.
Custom Include/Exclude Network
By default, the User-ID agent evaluates the rules in the order you add them, from top-first to bottom-last. To change the evaluation order, create a Custom Include/Exclude Network Sequence and then Add, Delete, Move Up, or Move Down the rules as necessary.
Configure the Windows-Based User-ID Agent for User Mapping
Configure the Windows-Based User-ID Agent for User Mapping The Palo Alto Networks User-ID agent is a Windows service that connects to servers on your network—for ...
Configure User Mapping Using the PAN-OS Integrated User-ID ...
Configure User Mapping Using the PAN-OS Integrated User-ID Agent The following procedure shows how to configure the PAN-OS integrated User-ID agent on the firewall for ...
Building Blocks of Security Zones
Building Blocks of Security Zones To define a security zone, click Add and specify the following information. Security Zone Settings Description Name Enter a zone ...
Device > User Identification > User Mapping
Device > User Identification > User Mapping Configure the PAN-OS integrated User-ID agent that runs on the firewall to map IP addresses to usernames. What ...
Monitor Servers Device > User Identification > User Mapping Use the Server Monitoring section to define the Microsoft Exchange Servers, Active Directory (AD) domain controllers, ...
Enable User-ID The user identity, as opposed to an IP address, is an integral component of an effective security infrastructure. Knowing who is using each ...
Manage the User Ignore List
Manage the User Ignore List Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > User Ignore List The ignore ...
Configure HIP-Based Policy Enforcement
Configure HIP-Based Policy Enforcement To enable the use of host information in policy enforcement you must complete the following steps. For more information on the ...
Configure User-ID for Numerous Mapping Information Sources
Configure User-ID for Numerous Mapping Information Sources Configure Windows Log Forwarding on the member servers that will collect login events. Configure Windows Log Forwarding . ...