We are using windows user-id agent for parsing the user and user group mapping info. often i see in the logs that the user is being not recognized and hitting the deny rule. after couple of minutes it starts recognizing the user and allows the traffic i am skeptical what could be the reason for this disparity. why would any user info and user group mapping info go stale.
on a different note given the limitation of 10000 user group limitation on PAN what would be best go to approach to overcome this shortage.
It really depends on how often you have the user-id agent reading the logs, and how often you have the firewall polling your user-id agent. Multiple things to look at here depending on how/when exactly you are running into the issue. Could be anything from the user-id being aged out on the firewall, to logging events not being generated due to where you are pulling the information and your users are just constantly using cached credentials.
As for the 10,000 user group limitation, when exactly do you think you'll actually have to deal with this limitation? Most companies really don't have to deal with this and don't utilize 10,000 groups in their security policies. If you do, then you break it out to the groups that would actively be utilized on that particular firewall. I've never seen a deployment that couldn't work around the limitations.
We are using windows user-id agent for parsing the user and user group mapping info. often i see in the logs that the user is being not recognized and hitting the deny rule. after couple of minutes it starts recognizing the user and allows the traffic
I can come up with at least 3 different reasons as to why this could be happening from my own experience, but that might not be the case for you. Can you elaborate on your auth set up more? Have you tried looking into the aging timers and comparing that to the users that are having issues?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!