Cannot find AD group in "source user" tab

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cannot find AD group in "source user" tab

L4 Transporter

Hi All,

 

I have added two new AD group, on DC.

I can clearly see them in group mapping setting:

 

Group_Mapping_OK.JPG

 

While in "source user" tab:

 

Deny_internet_not_found.JPG

 

What can cause this behavior? When the AD group will be available in "source user" find?

 

Suggestions?

 

BR

Luca

1 accepted solution

Accepted Solutions

Hi Luca,

 

The quickest you can change the group mapping refresh timer to be is 60 seconds. You can find this option under the group mapping settings. Running the group refresh command will get the device to refresh it quicker, why 'mark for refresh' I am not sure, maybe the device needs to finish processing what it is doing before it can begin the refresh, so marking it makes the user-id process finish the current task then run a refresh afterwards.

 

If you're making lots of group changes on your AD then you could create a script to open a CLI session and run this command. I have had a look and I don't think you can run debug commands via the XML API, you can clear the user ID cache but not refresh the group mappings.

 

Ben

 

edit: the timer is 60 seconds, not 60 minutes.

View solution in original post

10 REPLIES 10

L3 Networker

Luca,

 

Did you click the + sign to add the group to the 'Included Groups' section in the mapping?

L2 Linker

Panorama or firewall?

@MangoTango Firewall!

 

@RFalconer Other AD groups are available in "source user" find, even if they are not added to the 'Included Groups' section in the mapping.

 

BR

Luca

As this is a new group you have added, you might need to refresh the group mappings for the firewall to fetch them.

 

> debug user-id refresh group-mapping all

 

Worth a try.

 

Also if you input the group name manually rather than selecting it from a drop down, will this populate the policy with the group?

 

hope this helps,

Ben

Hi @bmorris1,

 

I have tried command you suggested: 

 

============================

 

FW01(active)> debug user-id refresh group-mapping all

group mapping 'Group_Map' in vsys1 is marked for refresh.

 

============================

 

The problem it's not related with group mapping.. I suppose this because I can clearly see "denyinternet" AD group in "group mapping" but NOT in source user.. Also if I type "denyinternet" the "source user" tab cannot find anything related to this one.

 

Tha's strange.. Maybe I missing something stupid.. 😞

 

Let me know if you have something else.

Further PA uptime is 153 days.. I don't know maybe something that it's not working properly with process.

Probably I will try with rebooting the appliance (I know I can restart a single process but at this point.. )

 

Best Regards

Luca

Hi All,

 

Firewall has been reboteed an now seems it works fine.

But there is something that I don't understan on user-id refershing timeout.

I need to refresh cache related to the user gruop info, very quickly in order to permit or deny a specific traffic flow.

 

This seems a problem, I have tried these commands but:

=========================================

FW01(active)> debug user-id refresh group-mapping all

group mapping 'Group_Map' in vsys1 is marked for refresh.

 

Also:

 

FW01(active)> debug user-id refresh dp-uid-gid

Scheduled to refresh user groups info on DP for vsys 1

 

Clear the cache:

 

FW01(active)> clear user-cache all

=========================================

 

Nothing is changed (Why marked for refresh ??)

I need to refresh quickly user's group info and NOT MANUALLY, which is the correct cache/timeout that I need to modify?

 

If user's group info doesn't refresh in less then 2/3 minutes, this can cause a huge impact on the enviroment, because there are users that can surf the internet while other user NOT(associated whit "denyinternet" AD group).

 

 

 

@bmorris1 @MangoTango @RFalconer

 

 

Hi Luca,

 

The quickest you can change the group mapping refresh timer to be is 60 seconds. You can find this option under the group mapping settings. Running the group refresh command will get the device to refresh it quicker, why 'mark for refresh' I am not sure, maybe the device needs to finish processing what it is doing before it can begin the refresh, so marking it makes the user-id process finish the current task then run a refresh afterwards.

 

If you're making lots of group changes on your AD then you could create a script to open a CLI session and run this command. I have had a look and I don't think you can run debug commands via the XML API, you can clear the user ID cache but not refresh the group mappings.

 

Ben

 

edit: the timer is 60 seconds, not 60 minutes.

Thanks a lot @bmorris1,

 

I will check again the configuration and I will update you asap..

 

BR

Luca

Hi @bmorris1,

 

I have set the refresh timeout as you suggested.

I will do some test and I will verify if everything works fine.

 

Thanks a lot,

Luca

Hi @bmorris1,

 

Set timeout to 60 sec, everything works fine.

 

Thanks again

Luca

  • 1 accepted solution
  • 5329 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!