https://live.paloaltonetworks.com/t5/general-topics/user-group-limits-on-firewall/m-p/510548#M106216 <P>Hi,</P> <P>A relatively old post perhaps. But I'm having a bit of a challenge understanding the limitations properly.</P> <P>&nbsp;</P> <P>So we have a firewall (and a panorma). We'd like to configure our firewall to use (A)AD and user groups in policies and autorisations like portals and gateways.</P> <P>&nbsp;</P> <P>First the firewall needs to understand where it can get AD group information? So it will query AD for groups? It will receive more groups back than 1000 (which is not a lot) and fail enumeration?<BR />What happens if we narrow down the location in active directory by specifying a location to enumerate? And this contains &lt;1000 groups by itself. However these groups here are filled with groups themselves (nesting). How does that count toward this limit?</P> <P>&nbsp;</P> <P>Is there a difference in PAN-OS version that may have increased the limits? Or do we really need to work with multiple locations (which is also limited) to create a situation where the firewall is actually capable of obtaining everything it needs to, to be able to do its work ?</P> Tue, 02 Aug 2022 10:11:19 GMT Klaverblad 2022-08-02T10:11:19Z https://live.paloaltonetworks.com/t5/general-topics/user-group-limits-on-firewall/m-p/395919#M91317 <P>Hello,</P><P>&nbsp;</P><P>Recently I got error below on PA 850 device(8.1.13)</P><P>-User Group count of 1098 exceeds threshold of 1000</P><P>&nbsp;</P><P>The log is straight forward, number of group is exceeding the limit, but I have some question.</P><P>&nbsp;</P><P>1. I have one more device,PA-3220, which look same LDAP for group mapping(same configuration).</P><P>I found article about this and it says FW has limitation for user group above 8.x and it's on all FW.</P><P>But there is no same log on 3220, even it has same number of group,1098.</P><P>Is the limit different via devices?</P><P>&nbsp;</P><P>2. The log says number of group exceeding the limit, but FW still holds over 1000 user group.</P><P>active)&gt; show user group list | match Total<BR />Total: 1098</P><P>&nbsp;</P><P>Is this log just alert? I don't know how FW can hold more than 1000 group if there is limit.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 06 Apr 2021 04:25:27 GMT https://live.paloaltonetworks.com/t5/general-topics/user-group-limits-on-firewall/m-p/395919#M91317 yhlee1 2021-04-06T04:25:27Z https://live.paloaltonetworks.com/t5/general-topics/user-group-limits-on-firewall/m-p/395961#M91324 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/103730">@yhlee1</a> ,</P> <P>&nbsp;</P> <P>Yes, each platform has its own limits.&nbsp;</P> <P>You can make the comparison on this page:</P> <P>&nbsp;</P> <P><A href="https://www.paloaltonetworks.com/products/product-comparison?chosen=pa-3220,pa-850" target="_blank">https://www.paloaltonetworks.com/products/product-comparison?chosen=pa-3220,pa-850</A></P> <P>&nbsp;</P> <P>In this particular example you'll notice that the PA-850 can have 1000 active and unique groups in policy, compared to the PA-3220 which can have 10,000 (aggregate of LDAP groups, dynamic user groups and XML API groups).</P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>-Kiwi.</P> <P>&nbsp;</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Tue, 06 Apr 2021 08:32:10 GMT https://live.paloaltonetworks.com/t5/general-topics/user-group-limits-on-firewall/m-p/395961#M91324 kiwi 2021-04-06T08:32:10Z https://live.paloaltonetworks.com/t5/general-topics/user-group-limits-on-firewall/m-p/510548#M106216 <P>Hi,</P> <P>A relatively old post perhaps. But I'm having a bit of a challenge understanding the limitations properly.</P> <P>&nbsp;</P> <P>So we have a firewall (and a panorma). We'd like to configure our firewall to use (A)AD and user groups in policies and autorisations like portals and gateways.</P> <P>&nbsp;</P> <P>First the firewall needs to understand where it can get AD group information? So it will query AD for groups? It will receive more groups back than 1000 (which is not a lot) and fail enumeration?<BR />What happens if we narrow down the location in active directory by specifying a location to enumerate? And this contains &lt;1000 groups by itself. However these groups here are filled with groups themselves (nesting). How does that count toward this limit?</P> <P>&nbsp;</P> <P>Is there a difference in PAN-OS version that may have increased the limits? Or do we really need to work with multiple locations (which is also limited) to create a situation where the firewall is actually capable of obtaining everything it needs to, to be able to do its work ?</P> Tue, 02 Aug 2022 10:11:19 GMT https://live.paloaltonetworks.com/t5/general-topics/user-group-limits-on-firewall/m-p/510548#M106216 Klaverblad 2022-08-02T10:11:19Z