This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About updating AD group membership

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

About updating AD group membership

RohJaewoong
L3 Networker

‎12-19-2013 06:24 PM

Hello guys

1. I configured LDAP profile and update from AD DC

2. AD group named domain-users has about 10900 user

3. Customer created new user and applied new user to domain-users group

So I tried to refresh a group-mapping information by debug command. But PAN could not be updated domain-users group information and refreshing member of group.

1. I created new group and applied new user to new group

PAN could be updated and bring a new-group with their membership.

So I have a question. How many PAN recognize a group-member from AD? or PAN has got a limit of max group membership from AD?

Thanks in advance.

Regards,

Roh

Labels:
4 REPLIES 4

hshah
L6 Presenter

‎12-25-2013 04:24 PM

Hi Roh,

By default existing group mapping is updated after 1 hour, you can change the settings. Please refer bellow mentioned document for more details.

https://live.paloaltonetworks.com/docs/DOC-4994

Let me know if you have further questions.

Regards,

Hardik Shah

hshah
L6 Presenter

‎12-25-2013 04:34 PM

You can force group-mapping refresh with following command.

https://live.paloaltonetworks.com/docs/DOC-3294

HITSSEC
L4 Transporter

‎12-25-2013 06:40 PM

Roh,

We have a domain with 10,000 - 12,000 accounts in the domain with no issues. We have user-id agents on two servers (redundancy) polling 12 domains across a total of 39 Domain controllers without issue.  Keeping in mind the group membership polling interval mentioned above in the previous posts.  The polling interval is a balancing act between performance hit on the servers vs. speed of updating changes to group membership. We will add the user to the rule and commit if there is an urgency to the access request while waiting for the polling interval to update the firewall with the group membership changes (usually an addition).

Phil

Gregoux
L4 Transporter

‎12-26-2013 03:18 AM

hello

you could find more information here

https://live.paloaltonetworks.com/docs/DOC-5939

greg

  • 2984 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks