topic Re: User Group Count Exceeds threshold in General Topics

User Group Count Exceeds threshold

SimmSimm — Fri, 01 Jun 2018 08:50:32 GMT

Recently upgraded to 8.0.9 from 7.1.x with mutiple devices from PA200 up to PA3050, Using UserIdAgent against an MS domain. managed via Panorama.

Started getting notifications in thes system log along the lines of 'User Group count of 7492 exceededs threshold of 1000'

In UserId -> GroupMapping I have an LDAP search filter that returns only the groups that are relevant to the firewall, 31 in total, & I can see thats correct via "show user group-mapping statistics" so Im guessing that the 7,492 referes to the user-group-mapping information returned from the UserIdAgent in total, ie for all our users there are 7,492 unqiue groups at the moment. I dont appear to be able to filter the information returned by UserIdAgent to just the groups that the firewall needs to know about.

The question is should I be worried - I dont seem to have a problem with the user mapping for the 31 groups of interest on the firewall but I would like to get rid of the alert from the logs + there is a certain amount of information leakage in that firewall administrators can see users full group membership from AD via "show user user-ids match-user" when really they should only be concerned with the 31 groups that control firewall permissions.

Re: User Group Count Exceeds threshold

reaper — Fri, 01 Jun 2018 12:55:16 GMT

Hi the user-ID agent does not collect group information, it only forwards user + ip, groups are collected through the firewalls "group mapping settings"

did you add the 31 groups to the "group include list"?

maybe the full set was fetched somehow vefore you completed your configuration, you could try this command to clear out the excess:

> debug user-id clear group all
> debug user-id refresh group-mapping all

Re: User Group Count Exceeds threshold

SimmSimm — Fri, 01 Jun 2018 13:22:27 GMT

Interesting !

having a spare system to play with, I tried that & it does appear to clear out all the other groups ! thanks !

Its not clear to me how they all got there in the first place - but looking at one of our new 820s which started life on PanOs 8, they only have the 31 groups I would expect whilst the older boxes which have been upgrading from the days of 5.x have the full 7,576 so Im guessing you are right - at some point in the past the LDAP lookup has retrieved the whole lot & its never been cleared out since.

Thanks.

Nick.

Re: User Group Count Exceeds threshold

ozayoz — Thu, 06 Feb 2020 10:00:38 GMT

Hello to everyone ,

I ran the debug user-id clear group all command.

I get the following error.
Server error: op command for client useridd timed out as client is not available

Model PA-850
Software Version 9.0.5

( eventid eq user-group-count ) and ( description contains 'User Group count of 1072 exceeds threshold of 1000' )

Best Regards