In our post Palo Alto URL Filtering we covered User-ID which allows us visibility to the Active Directory account generating the traffic. Depending on the AD group you’re using you might get a service account being reported as mapped to that IP. There are a few ways to get around this problem, but the simplest might just be to ignore that account.
Logging into the PA console we query for a list of accounts and the IP address mappings. We see an inappropriate account, which we’ll call domain\unwanted.
admin@PA-3020> show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 172.16.10.100 vsys1 AD domain\unwanted 2388 2388 172.16.10.101 vsys1 AD domain\account1 2420 2420 172.16.10.102 vsys1 AD domain\account2 2308 2308
Entering configure mode we can specifically tell the PA to ignore this account.
admin@PA-3020> configure Entering configuration mode [edit] admin@PA-3020# set user-id-collector ignore-user domain\unwanted admin@PA-3020# commit ....55%70%99%.......100% Configuration committed successfully [edit] admin@PA-3020# exit Exiting configuration mode
Once the ignore entry has been created, we clear our user-caches.
admin@PA-3020> clear user-cache all All entries in user cache removed! admin@PA-3020> clear user-cache-mp all All entries in user cache removed!
Re-running our query again, we see the unwanted account is no longer associated with our IP.
admin@PA-3020> show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 172.16.10.100 vsys1 AD domain\account3 2388 2388 172.16.10.101 vsys1 AD domain\account1 2420 2420 172.16.10.102 vsys1 AD domain\account2 2308 2308