1. I configured LDAP profile and update from AD DC
2. AD group named domain-users has about 10900 user
3. Customer created new user and applied new user to domain-users group
So I tried to refresh a group-mapping information by debug command. But PAN could not be updated domain-users group information and refreshing member of group.
1. I created new group and applied new user to new group
PAN could be updated and bring a new-group with their membership.
So I have a question. How many PAN recognize a group-member from AD? or PAN has got a limit of max group membership from AD?
Thanks in advance.
We have a domain with 10,000 - 12,000 accounts in the domain with no issues. We have user-id agents on two servers (redundancy) polling 12 domains across a total of 39 Domain controllers without issue. Keeping in mind the group membership polling interval mentioned above in the previous posts. The polling interval is a balancing act between performance hit on the servers vs. speed of updating changes to group membership. We will add the user to the rule and commit if there is an urgency to the access request while waiting for the polling interval to update the firewall with the group membership changes (usually an addition).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!