User to group membership update intervals

Reply
Highlighted
L1 Bithead

User to group membership update intervals

     Up to PAN-OS version 3.1.3, the refresh time for the firewall to update the user to group membership could be configured only to a minimum value of 10 minutes in the firewall. This configuration relates to the communication between the firewall and the User Identification Agent, where the firewall gets this information for users and groups. The parameter that controlled this behavior was defined under the User-ID definition in the firewall, and it was called "Link Speed". The only three values that this parameter accepted was "Fast", "Medium" and "Slow". "Fast" was the minimum update value, and stated for 10 minutes.

     Starting with PAN-OS version 3.1.4 you get user-group membership updated in the firewall with a minimum interval of 1 minute. I’ve tried different options, like changing a user from one group to another, deleting the user from one group, or adding a user to several groups. In all the cases the firewall gets the update in the expected interval of 1 minute, without any problem.

     In order to configure it properly, you need to set up the appropriate timeouts, both in the agent and in the firewall. The minimum values are 1 minute on each side.

     In the agent the parameter is called “User Membership Timer (min.)”. Following you have a screenshot with this timeout configured to 1 minute (minimum allowed value).




    
     In the firewall, you have a new field called “Group Timer”, that substitutes the old “Link Speed” under the UIA configuration. Here you have to configure also 1 minute (note that it’s in seconds, therefore you have to put 60 seconds. The legend is wrong, and the minimum value is not 1 second, but 60 seconds. Next minor release will solve this cosmetic issue):



     Hope you find it useful.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!