PA-500 LDAP Checkin Timing

kaysun — Wed, 28 Mar 2012 15:53:30 GMT

Does anyone know how often a PA-500 checks in with LDAP to determine group members? I was adding users to a group that should be blocked from outside access, however, even after 10 minutes and several restarts the user can still get right out to the internet. How long does it take for the Palo Alto to check back for group members?

On that same note. I have a policy that blocks certain users from getting out to the internet. However, when I apply this policy to the users, it takes up to 10 seconds for them to get to our internal OWA server. When I remove the policy, it is instantaneous. Why would blocking "any" traffic from my Internal Network to the Untrust Zone, cause users to stall out when trying to get to an internal OWA server?

Thanks!

Re: PA-500 LDAP Checkin Timing

mikand — Wed, 28 Mar 2012 18:33:43 GMT

Regarding your OWA question... does your clients have dns servers set who are available on untrust (who are blocked)?

Because your description fits that a client tries to resolve something with dns1, fails after 2 seconds, tries dns2, fails after 2 seconds and so on until some more time have passed and the browser/sshclient/whatever just figures out "ehh, this doesnt work" and then continue with whatever it was trying to access.

topic Re: PA-500 LDAP Checkin Timing in General Topics

PA-500 LDAP Checkin Timing

Re: PA-500 LDAP Checkin Timing