PAN agent Group cache on PAN

Reply
L3 Networker

PAN agent Group cache on PAN

Hello, I'm using PAN OS 3.0.5 and doing

> debug device-server dump user-group name

followed b the tab I'm seing very old group that are not anymore in the Filter group member of the pan-agent. It seams that the PAN have cached the olds user/group relation. There is the way to force a clear of the group <-> user relation on the PAN FW ?

Tags (1)
L4 Transporter

Re: PAN agent Group cache on PAN

You can clear the cache for this information with the following commands:

> debug dataplane reset user-cache
   > all   Reset all ip to user cache in data plane
   > ip    Reset the specified ip to user cache in data plane

thanks,

Stephen

L3 Networker

Re: PAN agent Group cache on PAN

The command above seams the delete only ip <-> user mapping.

I'd like to delete user <-> group mapping that seams to be still on chache cause I see very old group that I'm not using since month.

command -> debug device-server dump user-group name

L4 Transporter

Re: PAN agent Group cache on PAN

The "Stale" content could be coming from the UIA.  You can check this by looking at the cache files in the UIA Installation Directory - typically under "Program Files".

Regards

James

L2 Linker

Re: PAN agent Group cache on PAN

What about on 4.x.x versions where the group information comes from the Firewall itself?

Highlighted
L5 Sessionator

Re: PAN agent Group cache on PAN

You can clear the group cache on 4.1.x by doing the following:

> debug user-id clear group all

You can then force a group refresh:

> debug user-id refresh group-mapping all

-Jason

L2 Linker

Re: PAN agent Group cache on PAN

Thank you, that was what I needed.

L1 Bithead

Re: PAN agent Group cache on PAN

Exactly the answer I was looking for to address my issue.  I had duplicated groups listed from the PANuserAgent after installing the new USERIDagent and it was causing issues with classification.  Clearing out the groups and refreshing them fixed the issue.

Justin

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!