topic Re: Cannot find AD group in "source user" tab in General Topics

Cannot find AD group in "source user" tab

TheRealDiz — Thu, 15 Sep 2016 14:23:20 GMT

Hi All,

I have added two new AD group, on DC.

I can clearly see them in group mapping setting:

While in "source user" tab:

What can cause this behavior? When the AD group will be available in "source user" find?

Suggestions?

Luca

Re: Cannot find AD group in "source user" tab

RFalconer — Thu, 15 Sep 2016 16:15:54 GMT

Luca,

Did you click the + sign to add the group to the 'Included Groups' section in the mapping?

Re: Cannot find AD group in "source user" tab

MangoTango — Thu, 15 Sep 2016 17:41:07 GMT

Panorama or firewall?

Re: Cannot find AD group in "source user" tab

TheRealDiz — Fri, 16 Sep 2016 08:27:11 GMT

@MangoTango Firewall!

@RFalconer Other AD groups are available in "source user" find, even if they are not added to the 'Included Groups' section in the mapping.

Luca

Re: Cannot find AD group in "source user" tab

bmorris1 — Fri, 16 Sep 2016 10:12:41 GMT

As this is a new group you have added, you might need to refresh the group mappings for the firewall to fetch them.

> debug user-id refresh group-mapping all

Worth a try.

Also if you input the group name manually rather than selecting it from a drop down, will this populate the policy with the group?

hope this helps,

Ben

Re: Cannot find AD group in "source user" tab

TheRealDiz — Fri, 16 Sep 2016 13:28:33 GMT

Hi @bmorris1,

I have tried command you suggested:

============================

FW01(active)> debug user-id refresh group-mapping all

group mapping 'Group_Map' in vsys1 is marked for refresh.

============================

The problem it's not related with group mapping.. I suppose this because I can clearly see "denyinternet" AD group in "group mapping" but NOT in source user.. Also if I type "denyinternet" the "source user" tab cannot find anything related to this one.

Tha's strange.. Maybe I missing something stupid.. 😞

Let me know if you have something else.

Further PA uptime is 153 days.. I don't know maybe something that it's not working properly with process.

Probably I will try with rebooting the appliance (I know I can restart a single process but at this point.. )

Best Regards

Luca

Re: Cannot find AD group in "source user" tab

TheRealDiz — Mon, 19 Sep 2016 08:11:19 GMT

Hi All,

Firewall has been reboteed an now seems it works fine.

But there is something that I don't understan on user-id refershing timeout.

I need to refresh cache related to the user gruop info, very quickly in order to permit or deny a specific traffic flow.

This seems a problem, I have tried these commands but:

=========================================

FW01(active)> debug user-id refresh group-mapping all

group mapping 'Group_Map' in vsys1 is marked for refresh.

Also:

FW01(active)> debug user-id refresh dp-uid-gid

Scheduled to refresh user groups info on DP for vsys 1

Clear the cache:

FW01(active)> clear user-cache all

=========================================

Nothing is changed (Why marked for refresh ??)

I need to refresh quickly user's group info and NOT MANUALLY, which is the correct cache/timeout that I need to modify?

If user's group info doesn't refresh in less then 2/3 minutes, this can cause a huge impact on the enviroment, because there are users that can surf the internet while other user NOT(associated whit "denyinternet" AD group).

@bmorris1 @MangoTango @RFalconer

Re: Cannot find AD group in "source user" tab

bmorris1 — Mon, 19 Sep 2016 08:29:14 GMT

Hi Luca,

The quickest you can change the group mapping refresh timer to be is 60 seconds. You can find this option under the group mapping settings. Running the group refresh command will get the device to refresh it quicker, why 'mark for refresh' I am not sure, maybe the device needs to finish processing what it is doing before it can begin the refresh, so marking it makes the user-id process finish the current task then run a refresh afterwards.

If you're making lots of group changes on your AD then you could create a script to open a CLI session and run this command. I have had a look and I don't think you can run debug commands via the XML API, you can clear the user ID cache but not refresh the group mappings.

Ben

edit: the timer is 60 seconds, not 60 minutes.

Re: Cannot find AD group in "source user" tab

TheRealDiz — Mon, 19 Sep 2016 08:26:53 GMT

Thanks a lot @bmorris1,

I will check again the configuration and I will update you asap..

Luca

Re: Cannot find AD group in "source user" tab

TheRealDiz — Thu, 22 Sep 2016 10:27:35 GMT

Hi @bmorris1,

I have set the refresh timeout as you suggested.

I will do some test and I will verify if everything works fine.

Thanks a lot,

Luca

Re: Cannot find AD group in "source user" tab

TheRealDiz — Mon, 26 Sep 2016 12:24:22 GMT

Hi @bmorris1,

Set timeout to 60 sec, everything works fine.

Thanks again

Luca