topic Re: I disable a user on ldap ,but he can access the destination as before in General Topics

I disable a user on ldap ,but he can access the destination as before

ChuanhouLei — Fri, 03 Jan 2014 06:56:43 GMT

there have a user on the ldap , I allow he access one website in security policy .But when I disable this account on ldap srver , he can access the website as before , what can i do ?

消息编辑者为：Achates Ray

Re: I disable a user on ldap ,but he can access the destination as before

ybommakanti — Fri, 03 Jan 2014 16:30:31 GMT

Hello ChuanhouLei,

PaloAlto Networks firewall when configured for group mapping,will talk to active directory every 60 minutes by default This is configurable under group mapping settings,update interval.

Once every 60 minutes (by default) an LDAP querry is sent to retrieve any changes or additions or deletions to user-group membership.Looks like you are seeing the issue where even when you removed the user from group from AD it is still not updating mapping on the Device and user can still access the website.

Try changing the update interval to 60 seconds and check if that resolved the issue.

Hope this helps.

Yashwanth

Re: I disable a user on ldap ,but he can access the destination as before

ChuanhouLei — Sun, 05 Jan 2014 05:02:42 GMT

Thank you for your reply!

I am disable the user not delete or remove it.

Re: I disable a user on ldap ,but he can access the destination as before

ChuanhouLei — Fri, 07 Mar 2014 09:48:16 GMT

ybommakanti adminI disable the user on ldap not remove the user,who can help me ?

Re: I disable a user on ldap ,but he can access the destination as before

knarra1 — Sat, 08 Mar 2014 15:51:11 GMT

If the security policy is configured with the group that user is member of, it is expected to match security policy Firewall retrieve the AD groups and the associated members from ldap and keeps the group membership . If the user still exist in the group and there is a ipaddress to user mapping for that user account , you will see the from that user/ip is matching to the security rule You can try removing the user from the group in AD and Force User Group Mapping Refresh ( https://live.paloaltonetworks.com/docs/DOC-3294). See if that fix the issue .

Re: I disable a user on ldap ,but he can access the destination as before

ChuanhouLei — Mon, 10 Mar 2014 03:00:20 GMT

Thank you ,knarra1,

If I want to filter some users, how should I do?

Re: I disable a user on ldap ,but he can access the destination as before

knarra1 — Mon, 10 Mar 2014 22:42:15 GMT

If you are referring to users in group, We do not have option of filtering certain members in group. Please let me know if you are referring to something else

Re: I disable a user on ldap ,but he can access the destination as before

mbutt — Mon, 10 Mar 2014 23:54:05 GMT

You might be running into the following scenario during your testing. Please refer to this doc.

Enable Age-Out Timeout With Netbios/WMI Disabled for User-ID Agent

Below is another document for related symptoms

User-ID Does Not Send WMI Probes for Known IP Addresses

You can also check out the following doc for detailed informationon user id

User Identification Tech Note - PAN-OS 4.0

User Identification Tech Note PAN-OS 4.1

Let is know if this helps,

Thank you

Numan

Re: I disable a user on ldap ,but he can access the destination as before

ChuanhouLei — Thu, 13 Mar 2014 10:44:04 GMT

I want to know how to set the Search Filter?