topic Re: SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000 in General Topics

SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

bspilde — Thu, 31 Aug 2017 18:46:58 GMT

According to the New Features Guide in 7.1 PAN-OS the User Group Capacity was increased to a max of 3,200 groups IF you are following their note below:

Do not add entries to the Group Include List or Custom Group list—doing so limits the number of groups that policy rules can reference. Populated lists can have a combined maximum of only 640 groups but, by default, leaving the lists empty enables policy rules to reference up to a maximum of 3,200 groups.

So I have gone into these settings and removed all Custom Group lists and didn't have any Group Include List created.

Select Device > User Identification > Group Mapping Settings and click Add.Enter a unique Name to identify the group mapping configuration.Configure the Server Profile settings:Select the LDAP Server Profile you just created. Select Enabled (default).

Click OK.

I started receiving this alert after upgrading to PAN-OS 8.0.4 and even with all lists cleared out I am still seeing this alert every 10 minutes on a PA-200. I thought, well I'm going to be upgrading those to PA-220's anyway but after researching, the limit is the same on those and even the PA-3020's I have. I am not getting alerts from the PA-3020's after upgrading those to PAN-OS 8.0.4.

Anyone else experienced this? Opening a ticket next week but with a lack of any search results on this error I wanted to get one posted for the next guy upgrading a PA-200 to 8.0.x. in a 'group heavy' environment.

@Wald @rkramer ?

Re: SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

Wald — Thu, 31 Aug 2017 18:59:29 GMT

So we had something similar happen while I was at ignite on our 220's however the admins that were still at the office decieded to "fix it" by adding certain groups just assuming that these boxes were too small to handle all of our groups. We have not gone back to look into it so I cannot say "exactly" the error we saw at the time. I will see if I can drum up some sort of test.

Re: SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

Wald — Thu, 31 Aug 2017 19:14:37 GMT

Here you go @bspilde

This is from a 220 running 8.0.4 code.

User Group count of 6012 exceededs threshold of 1000

Re: SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

bspilde — Thu, 31 Aug 2017 19:20:42 GMT

Awesome, so obviously a problem out there as far as alerts, but for how many customers is it more than just alert noise? Hmm

Re: SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

bspilde — Thu, 31 Aug 2017 19:28:45 GMT

So, obviously those group include lists are working for you then.(?) You received the threshold alert both before and after setting up the include list?

I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.

I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.

Re: SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

rkramer — Thu, 31 Aug 2017 19:38:15 GMT

We haven't moved ours over to the new wildcard style yet, all the groups are defined. Working on it, just moving slowly.

Re: SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

Wald — Thu, 31 Aug 2017 20:04:15 GMT

@bspilde wrote:
So, obviously those group include lists are working for you then.(?) You received the threshold alert both before and after setting up the include list?

I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.

I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.

The include lists work fine however this appears to be a bug as the documentation says it supports way more groups than the error.

We pretty much have to use include lists since we have over 6000 groups which is above and beyond the specs.

Re: SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

Wald — Fri, 01 Sep 2017 15:36:26 GMT

@Wald wrote:
@bspilde wrote:
So, obviously those group include lists are working for you then.(?) You received the threshold alert both before and after setting up the include list?

I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.

I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.
@bspilde wrote:
So, obviously those group include lists are working for you then.(?) You received the threshold alert both before and after setting up the include list?

I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.

I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.

The include lists work fine however this appears to be a bug as the documentation says it supports way more groups than the error.
We pretty much have to use include lists since we have over 6000 groups which is above and beyond the specs.

Oh the alerts go away when you use "include lists" because it no longer see a large amount of groups, only the ones you have included.

Re: SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

bspilde — Fri, 08 Sep 2017 14:47:01 GMT

I'll add to that it only sees the users for the include groups then vs all of the groups. It actually does still show 2,354 user groups from the User-ID agent. The problem isn't really described well anywhere in my opinion. The limitation is having to store all the members of each group over 1000 groups I suspect.

Re: SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

bspilde — Mon, 12 Feb 2018 20:25:51 GMT

I had LDAP settings in a Global template, therefore all the smaller boxes that used this template alert on the group count exeeding the maximum for those models.

To resolve this I took the most commonly used AD groups for policies and included them in the Group Include list for a Group Mapping Setting applied to a template I called Limited_Group_Capacity.
In the User Identification| Group Mapping Settings be sure to use the same name as your "Global" group used for a group mapping name.
Then include that template on top of your template stack so that it will override anything below it with the same name.
Apply that template on the top or at least above your other template containing group mappings for every stack containing models restricted to 1000 users.
Then commit and push