I disable a user on ldap ,but he can access the destination as before

Reply
Highlighted
Not applicable

I disable a user on ldap ,but he can access the destination as before

there have a user on the ldap , I allow he access one website in security policy .But when I disable this account on ldap srver , he can access the website as before , what can i do ?

消息编辑者为:Achates Ray

Tags (2)
Highlighted
L3 Networker

Hello ,

PaloAlto Networks firewall when configured for group mapping,will talk to active directory every 60 minutes by default This is configurable under group mapping settings,update interval.

Once every 60 minutes (by default) an LDAP querry is sent to retrieve any changes or additions or deletions to user-group membership.Looks like you are seeing the issue where even when you removed the user from group from AD it is still not updating mapping on the Device and user can still access the website.

Try changing the update interval to 60 seconds and check if that resolved the issue.

Hope this helps.

Yashwanth

Highlighted
Not applicable

Thank you for your reply!

I am disable the user not delete or remove it.

Highlighted
Not applicable

ybommakantiadminI disable the user on ldap not remove the user,who can help me ?

Highlighted
L3 Networker

If the security policy is configured with the group that user is member of, it is expected to match security policy Firewall retrieve the AD groups and the associated members from ldap and keeps the group membership . If the user still exist in the group and there is a ipaddress to user mapping for that user account , you will see the from that user/ip is matching to the security rule You can try removing the user from the group in AD and Force User Group Mapping Refresh ( https://live.paloaltonetworks.com/docs/DOC-3294). See if that fix the issue .

Highlighted
Not applicable

Thank you ,knarra1,

If I want to filter some users, how should I do?

Highlighted
L3 Networker

If you are referring to users in group, We do not have option of filtering certain members in group. Please let me know if you are referring to something else

Highlighted
L5 Sessionator

You might be running into the following scenario during your testing. Please refer to this doc.

Enable Age-Out Timeout With Netbios/WMI Disabled for User-ID Agent

Below is another document for related symptoms

User-ID Does Not Send WMI Probes for Known IP Addresses

You can also check out the following doc for detailed informationon user id

User Identification Tech Note - PAN-OS 4.0

User Identification Tech Note PAN-OS 4.1

Let is know if this helps,

Thank you

Numan

Highlighted
Not applicable

useraccountcontrol.jpg

I want to know how to set the Search Filter?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!