HA-HA group mappings not passing to secondary PANOS 6.03

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HA-HA group mappings not passing to secondary PANOS 6.03

Not applicable

Hello,

I have group mappings present on the Primary Firewall, not passing to the secondary Firewall.  Specifically for a new gorup created today.  I have tried the various debug refresh commands on both boxes to attempt the get the seocndary box to pull the new group, but no joy.  Can anyone suggest what the issue here maybe?  As far as the secondary box is concerned it doesn't exist.  Which is kind of important as that box is primary for connectivity for a certain subnet that I cannot enforce a policy on based on group membership.

Many thanks

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi

did you happen to check the filter in the device tab > user identification > group mapping settings

there could be a filter here that prevents the new group from showing up

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hello,

No filter that is relevant to the group in question,  it has got worse, we have a new user thats been added in AD, it can be seen on the Primary but not on the Secondary, even after a day.  Also the group number enumeration between the two is not the same.  Any ideas why the secondary is not synching up with the user-id and group information from the primary?

Does the secondary show correctly connected ip address:

> show user user-id-agent state <your-id-agent-name>

Does a force sync change the status:

> debug user-id refresh group-mapping (Name of group-mapping, or all)

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L4 Transporter

What version of PAN OS are you running on the two HA peers? The new user that was added, was he added to a group called "domain users"?

  • 2259 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!