Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
01-02-2014 10:56 PM
01-03-2014 08:30 AM
Hello ChuanhouLei,
PaloAlto Networks firewall when configured for group mapping,will talk to active directory every 60 minutes by default This is configurable under group mapping settings,update interval.
Once every 60 minutes (by default) an LDAP querry is sent to retrieve any changes or additions or deletions to user-group membership.Looks like you are seeing the issue where even when you removed the user from group from AD it is still not updating mapping on the Device and user can still access the website.
Try changing the update interval to 60 seconds and check if that resolved the issue.
Hope this helps.
Yashwanth
01-04-2014 09:02 PM
Thank you for your reply!
I am disable the user not delete or remove it.
03-07-2014 01:48 AM
ybommakantiadminI disable the user on ldap not remove the user,who can help me ?
03-08-2014 07:51 AM
If the security policy is configured with the group that user is member of, it is expected to match security policy Firewall retrieve the AD groups and the associated members from ldap and keeps the group membership . If the user still exist in the group and there is a ipaddress to user mapping for that user account , you will see the from that user/ip is matching to the security rule You can try removing the user from the group in AD and Force User Group Mapping Refresh ( https://live.paloaltonetworks.com/docs/DOC-3294). See if that fix the issue .
03-09-2014 08:00 PM
Thank you ,knarra1,
If I want to filter some users, how should I do?
03-10-2014 03:42 PM
If you are referring to users in group, We do not have option of filtering certain members in group. Please let me know if you are referring to something else
03-10-2014 04:54 PM
You might be running into the following scenario during your testing. Please refer to this doc.
Enable Age-Out Timeout With Netbios/WMI Disabled for User-ID Agent
Below is another document for related symptoms
User-ID Does Not Send WMI Probes for Known IP Addresses
You can also check out the following doc for detailed informationon user id
User Identification Tech Note - PAN-OS 4.0
User Identification Tech Note PAN-OS 4.1
Let is know if this helps,
Thank you
Numan
03-13-2014 03:44 AM
I want to know how to set the Search Filter?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
