LDAP interval

NetOverLord — Thu, 12 Jul 2018 21:52:03 GMT

Hi,

I have a question in reference to the LDAP interval time. Specifically what my goal is I want to be able to let the firewall know about my AD group membership changes quicker. For example if I have a specific AD group that is configured on the fw to control a specific PBF rule, when I add or remove a domain account from that AD group, what is the default refresh time (same as interval time?) that I need to wait for the fw to scan the AD group to get the update?

I usually run two commands to make the change immediate:

a. debug user-id refresh group-mapping all

b. debug user-id reset group-mapping all

I do understand that decreasing the refresh time (interval time? LOL!) might cause bugging down the CPU on the fw and it might cause more network bandwidth utilization but I just wanted to undersatnd:

1. where can I change the refresh time? Is that located in:

Device -> User Identification -> Group Mapping Settigns -> Server Porofie tab ("Update Interval" field)?

2. If I am incorrect in assuming that the Update Interval time field (above) is responsible for AD updates, what is the correct setting and where can I change it?

Thank you.

Re: LDAP interval

Mick_Ball — Fri, 13 Jul 2018 04:39:39 GMT

Yes thats where it is.... the default if left blank is 3600 seconds, 1 hour.

i suppose it depends on how many users and groups are incorporated between PA and AD.

with almost 10k userbase and making good use of the domain users group as well as many other large groups i left it at the default.

i run the same refresh command in an emergency but rarely use it as AD user movementhere involves several emails and 12 meetings... by the time the user is notified a week has passed.... you could use api to make the refresh a lot smoother...

so... i would say really depends on your userbase, group activity and urgency.

topic Re: LDAP interval in General Topics

LDAP interval

Re: LDAP interval