09-15-2016 07:10 AM - edited 09-15-2016 07:23 AM
Hi All,
I have added two new AD group, on DC.
I can clearly see them in group mapping setting:
While in "source user" tab:
What can cause this behavior? When the AD group will be available in "source user" find?
Suggestions?
BR
Luca
09-19-2016 01:23 AM - edited 09-19-2016 01:29 AM
Hi Luca,
The quickest you can change the group mapping refresh timer to be is 60 seconds. You can find this option under the group mapping settings. Running the group refresh command will get the device to refresh it quicker, why 'mark for refresh' I am not sure, maybe the device needs to finish processing what it is doing before it can begin the refresh, so marking it makes the user-id process finish the current task then run a refresh afterwards.
If you're making lots of group changes on your AD then you could create a script to open a CLI session and run this command. I have had a look and I don't think you can run debug commands via the XML API, you can clear the user ID cache but not refresh the group mappings.
Ben
edit: the timer is 60 seconds, not 60 minutes.
09-15-2016 09:15 AM
Luca,
Did you click the + sign to add the group to the 'Included Groups' section in the mapping?
09-15-2016 10:41 AM
Panorama or firewall?
09-16-2016 01:27 AM
@MangoTango Firewall!
@RFalconer Other AD groups are available in "source user" find, even if they are not added to the 'Included Groups' section in the mapping.
BR
Luca
09-16-2016 03:12 AM
As this is a new group you have added, you might need to refresh the group mappings for the firewall to fetch them.
> debug user-id refresh group-mapping all
Worth a try.
Also if you input the group name manually rather than selecting it from a drop down, will this populate the policy with the group?
hope this helps,
Ben
09-16-2016 06:28 AM
Hi @bmorris1,
I have tried command you suggested:
============================
FW01(active)> debug user-id refresh group-mapping all
group mapping 'Group_Map' in vsys1 is marked for refresh.
============================
The problem it's not related with group mapping.. I suppose this because I can clearly see "denyinternet" AD group in "group mapping" but NOT in source user.. Also if I type "denyinternet" the "source user" tab cannot find anything related to this one.
Tha's strange.. Maybe I missing something stupid.. 😞
Let me know if you have something else.
Further PA uptime is 153 days.. I don't know maybe something that it's not working properly with process.
Probably I will try with rebooting the appliance (I know I can restart a single process but at this point.. )
Best Regards
Luca
09-19-2016 01:11 AM
Hi All,
Firewall has been reboteed an now seems it works fine.
But there is something that I don't understan on user-id refershing timeout.
I need to refresh cache related to the user gruop info, very quickly in order to permit or deny a specific traffic flow.
This seems a problem, I have tried these commands but:
=========================================
FW01(active)> debug user-id refresh group-mapping all
group mapping 'Group_Map' in vsys1 is marked for refresh.
Also:
FW01(active)> debug user-id refresh dp-uid-gid
Scheduled to refresh user groups info on DP for vsys 1
Clear the cache:
FW01(active)> clear user-cache all
=========================================
Nothing is changed (Why marked for refresh ??)
I need to refresh quickly user's group info and NOT MANUALLY, which is the correct cache/timeout that I need to modify?
If user's group info doesn't refresh in less then 2/3 minutes, this can cause a huge impact on the enviroment, because there are users that can surf the internet while other user NOT(associated whit "denyinternet" AD group).
@bmorris1 @MangoTango @RFalconer
09-19-2016 01:23 AM - edited 09-19-2016 01:29 AM
Hi Luca,
The quickest you can change the group mapping refresh timer to be is 60 seconds. You can find this option under the group mapping settings. Running the group refresh command will get the device to refresh it quicker, why 'mark for refresh' I am not sure, maybe the device needs to finish processing what it is doing before it can begin the refresh, so marking it makes the user-id process finish the current task then run a refresh afterwards.
If you're making lots of group changes on your AD then you could create a script to open a CLI session and run this command. I have had a look and I don't think you can run debug commands via the XML API, you can clear the user ID cache but not refresh the group mappings.
Ben
edit: the timer is 60 seconds, not 60 minutes.
09-22-2016 03:27 AM
Hi @bmorris1,
I have set the refresh timeout as you suggested.
I will do some test and I will verify if everything works fine.
Thanks a lot,
Luca
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
