SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

L4 Transporter

According to the New Features Guide in 7.1 PAN-OS the User Group Capacity was increased to a max of 3,200 groups IF you are following their note below:

 

 Do not add entries to the Group Include List or Custom Group list—doing so limits the number of groups that policy rules can reference. Populated lists can have a combined maximum of only 640 groups but, by default, leaving the lists empty enables policy rules to reference up to a maximum of 3,200 groups.

 

So I have gone into these settings and removed all Custom Group lists and didn't have any Group Include List created.

 

Select Device > User Identification > Group Mapping Settings and click Add.Enter a unique Name to identify the group mapping configuration.Configure the Server Profile settings:Select the LDAP Server Profile you just created. Select Enabled (default).

Click OK.

 

I started receiving this alert after upgrading to PAN-OS 8.0.4 and even with all lists cleared out I am still seeing this alert every 10 minutes on a PA-200. I thought, well I'm going to be upgrading those to PA-220's anyway but after researching, the limit is the same on those and even the PA-3020's I have. I am not getting alerts from the PA-3020's after upgrading those to PAN-OS 8.0.4.

 

Anyone else experienced this? Opening a ticket next week but with a lack of any search results on this error I wanted to get one posted for the next guy upgrading a PA-200 to 8.0.x. in a 'group heavy' environment.

@Wald @rkramer ?

 

 

1 accepted solution

Accepted Solutions


@Wald wrote:

@bspilde wrote:

So, obviously those group include lists are working for you then.(?)  You received the threshold alert both before and after setting up the include list?

 

I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.

 

I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.



@bspilde wrote:

So, obviously those group include lists are working for you then.(?)  You received the threshold alert both before and after setting up the include list?

 

I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.

 

I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.


 

The include lists work fine however this appears to be a bug as the documentation says it supports way more groups than the error.

We pretty much have to use include lists since we have over 6000 groups which is above and beyond the specs.


Oh the alerts go away when you use "include lists" because it no longer see a large amount of groups, only the ones you have included.

View solution in original post

9 REPLIES 9

L2 Linker

So we had something similar happen while I was at ignite on our 220's however the admins that were still at the office decieded to "fix it" by adding certain groups just assuming that these boxes were too small to handle all of our groups. We have not gone back to look into it so I cannot say "exactly" the error we saw at the time. I will see if I can drum up some sort of test.

Here you go @bspilde

 

This is from a 220 running 8.0.4 code.

 

User Group count of 6012 exceededs threshold of 1000

Awesome, so obviously a problem out there as far as alerts, but for how many customers is it more than just alert noise? Hmm

So, obviously those group include lists are working for you then.(?)  You received the threshold alert both before and after setting up the include list?

 

I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.

 

I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.

We haven't moved ours over to the new wildcard style yet, all the groups are defined.  Working on it, just moving slowly.


@bspilde wrote:

So, obviously those group include lists are working for you then.(?)  You received the threshold alert both before and after setting up the include list?

 

I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.

 

I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.



@bspilde wrote:

So, obviously those group include lists are working for you then.(?)  You received the threshold alert both before and after setting up the include list?

 

I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.

 

I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.


 

The include lists work fine however this appears to be a bug as the documentation says it supports way more groups than the error.

We pretty much have to use include lists since we have over 6000 groups which is above and beyond the specs.


@Wald wrote:

@bspilde wrote:

So, obviously those group include lists are working for you then.(?)  You received the threshold alert both before and after setting up the include list?

 

I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.

 

I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.



@bspilde wrote:

So, obviously those group include lists are working for you then.(?)  You received the threshold alert both before and after setting up the include list?

 

I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.

 

I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.


 

The include lists work fine however this appears to be a bug as the documentation says it supports way more groups than the error.

We pretty much have to use include lists since we have over 6000 groups which is above and beyond the specs.


Oh the alerts go away when you use "include lists" because it no longer see a large amount of groups, only the ones you have included.

I'll add to that it only sees the users for the include groups then vs all of the groups. It actually does still show 2,354 user groups from the User-ID agent. The problem isn't really described well anywhere in my opinion. The limitation is having to store all the members of each group over 1000 groups I suspect.

L4 Transporter

I had LDAP settings in a Global template, therefore all the smaller boxes that used this template alert on the group count exeeding the maximum for those models.

 

  • To resolve this I took the most commonly used AD groups for policies and included them in the Group Include list for a Group Mapping Setting applied to a template I called Limited_Group_Capacity.
  • In the User Identification| Group Mapping Settings be sure to use the same name as your "Global" group used for a group mapping name.
  • Then include that template on top of your template stack so that it will override anything below it with the same name.
  • Apply that template on the top or at least above your other template containing group mappings for every stack containing models restricted to 1000 users.
  • Then commit and push
  • 1 accepted solution
  • 18301 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!