Sync Between Active Directory and User-ID

Reply
L2 Linker

Sync Between Active Directory and User-ID

Hi there,

 

I have security policy allowed for particular group A. when i add/remove member in group A it doesnt sync with the security policy.

 

Is there a way to sync between active directory and User-ID/ Security policy?

 

Thanks in advance.

Pratik

L7 Applicator

Re: Sync Between Active Directory and User-ID

@pkathiria,

What do you have your Update Interval under your Group Mapping settings? 

Highlighted
L2 Linker

Re: Sync Between Active Directory and User-ID

@BPry  2 seconds

L6 Presenter

Re: Sync Between Active Directory and User-ID

Perhaps your group mappings are failing, so for diagnostics try the following from CLI :-

 

show user group list

this will display user groups known to the firewall

 

show user group name " cn of group listed from above (use quotes if you have spaces)"

this will list all known members of that group

 

debug user-id refresh group-mapping all

this will force the firewall to sync with AD

 

this is also assuming that your user-ip mapping is also working correctly.

this cab also be tested via CLI :-

 

show user ip-user-mapping all

this will display all known user to ip mappings

HTH

 

L4 Transporter

Re: Sync Between Active Directory and User-ID

@pkathiria,

2sec is too intrusive, but most important it shouldn't even be a valid configuration. The minimum possible value is 60 sec:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0JCAS

L2 Linker

Re: Sync Between Active Directory and User-ID

@Alexander.Astardzhiev  After updating interval to 60 seconds its still doesnt sync to AD. Is there any other way to sync with AD ??

L7 Applicator

Re: Sync Between Active Directory and User-ID

@pkathiria,

You really need to look at your logs ( useridd masterd_detail ) and determine what you actually have going on, or contact TAC and they can look through your logs. Depending on how large your directory is it's possible that even 60 seconds isn't giving the firewall enough time to finish the task and fully process everything before you ask it to restart the process; 60 seconds is the minimal rate allowed, but it can still be too quick depending on your environment. 

L2 Linker

Re: Sync Between Active Directory and User-ID

After forcing the firewalll to sync with AD it still didn't sync. User can still access to the  resources. if there anyway to do auto sync with AD?

 

Thanks,

 

Pratik

L4 Transporter

Re: Sync Between Active Directory and User-ID

Hi @pkathiria,

 

lets take a step back - if  understand correctly your assumption that firewall is not syncing with AD is based on rule not matching for new user that is added to the allow user group, correct?

 

Have you tried all the commands that @MickBall provide you?

It is very important that username from user-to-ip mapping is identical to the username from the group mapping - including the domain.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!