Sync Between Active Directory and User-ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Sync Between Active Directory and User-ID

L2 Linker

Hi there,

 

I have security policy allowed for particular group A. when i add/remove member in group A it doesnt sync with the security policy.

 

Is there a way to sync between active directory and User-ID/ Security policy?

 

Thanks in advance.

Pratik

8 REPLIES 8

Cyber Elite
Cyber Elite

@pkathiria,

What do you have your Update Interval under your Group Mapping settings? 

@BPry  2 seconds

L7 Applicator

Perhaps your group mappings are failing, so for diagnostics try the following from CLI :-

 

show user group list

this will display user groups known to the firewall

 

show user group name " cn of group listed from above (use quotes if you have spaces)"

this will list all known members of that group

 

debug user-id refresh group-mapping all

this will force the firewall to sync with AD

 

this is also assuming that your user-ip mapping is also working correctly.

this cab also be tested via CLI :-

 

show user ip-user-mapping all

this will display all known user to ip mappings

HTH

 

@pkathiria,

2sec is too intrusive, but most important it shouldn't even be a valid configuration. The minimum possible value is 60 sec:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0JCAS

@aleksandar.astardzhiev  After updating interval to 60 seconds its still doesnt sync to AD. Is there any other way to sync with AD ??

@pkathiria,

You really need to look at your logs ( useridd masterd_detail ) and determine what you actually have going on, or contact TAC and they can look through your logs. Depending on how large your directory is it's possible that even 60 seconds isn't giving the firewall enough time to finish the task and fully process everything before you ask it to restart the process; 60 seconds is the minimal rate allowed, but it can still be too quick depending on your environment. 

After forcing the firewalll to sync with AD it still didn't sync. User can still access to the  resources. if there anyway to do auto sync with AD?

 

Thanks,

 

Pratik

Hi @pkathiria,

 

lets take a step back - if  understand correctly your assumption that firewall is not syncing with AD is based on rule not matching for new user that is added to the allow user group, correct?

 

Have you tried all the commands that @Mick_Ball provide you?

It is very important that username from user-to-ip mapping is identical to the username from the group mapping - including the domain.

  • 16752 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!