HA-HA group mappings not passing to secondary PANOS 6.03

Reply
Highlighted
Not applicable

HA-HA group mappings not passing to secondary PANOS 6.03

Hello,

I have group mappings present on the Primary Firewall, not passing to the secondary Firewall.  Specifically for a new gorup created today.  I have tried the various debug refresh commands on both boxes to attempt the get the seocndary box to pull the new group, but no joy.  Can anyone suggest what the issue here maybe?  As far as the secondary box is concerned it doesn't exist.  Which is kind of important as that box is primary for connectivity for a certain subnet that I cannot enforce a policy on based on group membership.

Many thanks

Tags (2)
Highlighted
L7 Applicator

Hi

did you happen to check the filter in the device tab > user identification > group mapping settings

there could be a filter here that prevents the new group from showing up

regards

Tom

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Highlighted
Not applicable

Hello,

No filter that is relevant to the group in question,  it has got worse, we have a new user thats been added in AD, it can be seen on the Primary but not on the Secondary, even after a day.  Also the group number enumeration between the two is not the same.  Any ideas why the secondary is not synching up with the user-id and group information from the primary?

Highlighted
L7 Applicator

Does the secondary show correctly connected ip address:

> show user user-id-agent state <your-id-agent-name>

Does a force sync change the status:

> debug user-id refresh group-mapping (Name of group-mapping, or all)

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L4 Transporter

What version of PAN OS are you running on the two HA peers? The new user that was added, was he added to a group called "domain users"?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!