PA-500 LDAP Checkin Timing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-500 LDAP Checkin Timing

L1 Bithead

Does anyone know how often a PA-500 checks in with LDAP to determine group members?  I was adding users to a group that should be blocked from outside access, however, even after 10 minutes and several restarts the user can still get right out to the internet.  How long does it take for the Palo Alto to check back for group members?

On that same note.  I have a policy that blocks certain users from getting out to the internet. However, when I apply this policy to the users, it takes up to 10 seconds for them to get to our internal OWA server.  When I remove the policy, it is instantaneous.  Why would blocking "any" traffic from my Internal Network to the Untrust Zone, cause users to stall out when trying to get to an internal OWA server?

Thanks!

1 REPLY 1

L6 Presenter

Regarding your OWA question... does your clients have dns servers set who are available on untrust (who are blocked)?

Because your description fits that a client tries to resolve something with dns1, fails after 2 seconds, tries dns2, fails after 2 seconds and so on until some more time have passed and the browser/sshclient/whatever just figures out "ehh, this doesnt work" and then continue with whatever it was trying to access.

  • 1618 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!