there have a user on the ldap , I allow he access one website in security policy .But when I disable this account on ldap srver , he can access the website as before , what can i do ?
PaloAlto Networks firewall when configured for group mapping,will talk to active directory every 60 minutes by default This is configurable under group mapping settings,update interval.
Once every 60 minutes (by default) an LDAP querry is sent to retrieve any changes or additions or deletions to user-group membership.Looks like you are seeing the issue where even when you removed the user from group from AD it is still not updating mapping on the Device and user can still access the website.
Try changing the update interval to 60 seconds and check if that resolved the issue.
Hope this helps.
If the security policy is configured with the group that user is member of, it is expected to match security policy Firewall retrieve the AD groups and the associated members from ldap and keeps the group membership . If the user still exist in the group and there is a ipaddress to user mapping for that user account , you will see the from that user/ip is matching to the security rule You can try removing the user from the group in AD and Force User Group Mapping Refresh ( https://live.paloaltonetworks.com/docs/DOC-3294). See if that fix the issue .
You might be running into the following scenario during your testing. Please refer to this doc.
Below is another document for related symptoms
You can also check out the following doc for detailed informationon user id
Let is know if this helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!