I have a question in reference to the LDAP interval time. Specifically what my goal is I want to be able to let the firewall know about my AD group membership changes quicker. For example if I have a specific AD group that is configured on the fw to control a specific PBF rule, when I add or remove a domain account from that AD group, what is the default refresh time (same as interval time?) that I need to wait for the fw to scan the AD group to get the update?
I usually run two commands to make the change immediate:
a. debug user-id refresh group-mapping all
b. debug user-id reset group-mapping all
I do understand that decreasing the refresh time (interval time? LOL!) might cause bugging down the CPU on the fw and it might cause more network bandwidth utilization but I just wanted to undersatnd:
1. where can I change the refresh time? Is that located in:
Device -> User Identification -> Group Mapping Settigns -> Server Porofie tab ("Update Interval" field)?
2. If I am incorrect in assuming that the Update Interval time field (above) is responsible for AD updates, what is the correct setting and where can I change it?
Yes thats where it is.... the default if left blank is 3600 seconds, 1 hour.
i suppose it depends on how many users and groups are incorporated between PA and AD.
with almost 10k userbase and making good use of the domain users group as well as many other large groups i left it at the default.
i run the same refresh command in an emergency but rarely use it as AD user movementhere involves several emails and 12 meetings... by the time the user is notified a week has passed.... you could use api to make the refresh a lot smoother...
so... i would say really depends on your userbase, group activity and urgency.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!