This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Multiple PA-500 with PanOS 8.0.4, some SYSTEM ALERT: high : User Group count exceeds threshold of 1k

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Multiple PA-500 with PanOS 8.0.4, some SYSTEM ALERT: high : User Group count exceeds threshold of 1k

PK-GHL
L0 Member

‎09-17-2017 05:42 PM

Hi all,

 

The company have many PA-500 in HA configuration across the globe, configured by the U.S. team. After upgrade to PanOS 8.0.4, 2 of them are sending alerts like "SYSTEM ALERT : high : User Group count of 16## exceededs threshold of 1000", each of different country and small difference in user group count.

 

I checked the "Group Mapping Settings", it's using the LDAP Lookup method for the User Identification. It's the same config with another one that doesn't send Alerts. So I am a bit confused what to do to stop that 2 sending Alerts.

 

Anyone experienced same issue - same hardware, same OS version, same config but few gives Alert? I have seen https://live.paloaltonetworks.com/t5/General-Topics/SYSTEM-ALERT-high-User-Group-count-of-2358-excee... but we are with different environment.

 

Email body from Alert:

domain: 1
receive_time: 2017/09/18 10:26:50
serial: x_redacted_x
seqno: 210806
actionflags: 0x8000000000000000
type: SYSTEM
subtype: userid
config_ver: 0
time_generated: 2017/09/18 10:26:50
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name: 
device_name: x_redacted_x
vsys_id: 0
vsys: 
eventid: user-group-count
object: 
fmt: 0
id: 0
module: general
severity: high
opaque: User Group count of 1662 exceededs threshold of 1000

By the way, why is it "exceededs"?

 

Appreciate any suggestions.

Patrick.

0 Likes Likes
1 REPLY 1

RichColeman
L2 Linker

‎09-19-2017 07:41 AM

VM-50, VM-100, VM-300, PA-200, PA-220, PA-500, PA-800 Series, PA-3020, and PA-3050 firewalls are all restricted to 1,000 AD groups.

 

Basically means you can't have more than a 1000 groups imported from AD into the PAN-OS. 

 

 

0 Likes Likes
  • 3978 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks