topic User Identification Timeout - What to do ? in General Topics

User Identification Timeout - What to do ?

FabioGarcia — Tue, 04 Sep 2012 17:54:08 GMT

Dears,

I have Palo Alto consolidated and working fine in my network but sometimes I have to do some changes on AD groups to give some rights to some users...

I am realizing that all changes delays too much to take effect in Palo Alto, I think is because my agent have user identification timeout set to 45 minutes..

In other words Palo ALto delays around 45 minutes to realize any change into AD groups... right ?

I am thinking in decrease that value to 5 minutes... What is the impact having user identification timeout set to 5 minutes ?

All my DC are located inside my network, no remote DCs.

Thanks in advance!

Re: User Identification Timeout - What to do ?

sraghunandan — Tue, 04 Sep 2012 18:28:01 GMT

Hello,

User identification timeout is nothing but timeout value for user entries. You might want to change the security log timer.

Thank you.

Subijith Raghunandan.

Re: User Identification Timeout - What to do ?

mikand — Tue, 04 Sep 2012 18:40:39 GMT

Shouldnt a decreased TTL for the various caches slightly increase the load for the mgmtplane?

Re: User Identification Timeout - What to do ?

FabioGarcia — Tue, 04 Sep 2012 18:45:45 GMT

So, you meant I should keep 45 minutes and focus on security log timer ?

But sec log timer is already set to 1 second....

Right now I am doint tests with my login....

We have a rule allowing social networking for some AD group "social_networking_allowed"...

I have just added my user to that group and till now I am still not able to be allowed to social networks sites...

Is that usual this behavior... whenever I add or take off some user from an AD group that will delay all this time to reflect on PA rules ??

Below my agent config

thanks all

Re: User Identification Timeout - What to do ?

sraghunandan — Tue, 04 Sep 2012 18:56:59 GMT

Does the newly added user show up in the PA, please use the following command:- > show user group name (name) and also paste the following command o/ps >show user group-mapping statistics and show user group-mapping state all.

Thanks.

Re: User Identification Timeout - What to do ?

FabioGarcia — Tue, 04 Sep 2012 19:20:49 GMT

fabio.garcia@XXXXXXXX(active)> show user group name "XXXXXXXXX\redes sociais - allow"

...

[30 ] XXXXXXXX\fabio.garcia

>>>>>> Even after 15 minutes I took off my name from that AD group I am still seeing my name over there...

####################################################

fabio.garcia@XXXXXXXXX(active)> show user group-mapping statistics

Name Vsys Groups Last-Action(secs) Next-Action(secs)

---------------------------------------------------------------------------

XXXXX-XXXXX vsys1 7 1859 secs ago(took 0 secs) In 1741 secs <<<<<< ???

>>>> Is that the delay till PA checks again users inside all groups ???

#####################################################

fabio.garcia@XXXXXXX(active)> show user group-mapping state all

Group Mapping(vsys1, type: active-directory): XXXX-XXXXX

Bind DN : ...

Base : ...

Group Filter: (None)

User Filter: (None)

Servers : configured 2 servers

X.X.X.X(389)

Last Action Time: 1932 secs ago(took 0 secs)

Next Action Time: In 1668 secs <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

X.X.X.X(389)

Re: User Identification Timeout - What to do ?

FabioGarcia — Tue, 04 Sep 2012 19:39:38 GMT

I got it....

In GUI

Device > User identification (left menu) > Group Mapping Setings

Clicking at your SERVER configured, then UPDATE INTERVAL I choose 60 (seconds)....

Now I delay maximum of 60 seconds to PA updates list of AD groups (with new users or deleted users)

Thanks!!

Re: User Identification Timeout - What to do ?

sraghunandan — Tue, 04 Sep 2012 19:45:24 GMT

That's Great i was about to reply was caught up on a cal, now is this working as expected.

Re: User Identification Timeout - What to do ?

mikand — Wed, 05 Sep 2012 08:29:05 GMT

I feel that the default values in the doc mentioned earlier are a bit high - but I guess there is some good reason behind each setting for why its so high.

What are the most aggressive settings that are still fine to use regarding mgmtplane utilization etc?

Because I have a bad feeling that something would break if one select the lowest values for each item like:

Age-out timeout: 1min

User membership timeout: 1min

Security log timer: 1sec

Netbios probing (is the same as for wmi?): 1min

Server session timer: 1sec