08-31-2017 11:46 AM
According to the New Features Guide in 7.1 PAN-OS the User Group Capacity was increased to a max of 3,200 groups IF you are following their note below:
Do not add entries to the Group Include List or Custom Group list—doing so limits the number of groups that policy rules can reference. Populated lists can have a combined maximum of only 640 groups but, by default, leaving the lists empty enables policy rules to reference up to a maximum of 3,200 groups.
So I have gone into these settings and removed all Custom Group lists and didn't have any Group Include List created.
| Select Device > User Identification > Group Mapping Settings and click Add.Enter a unique Name to identify the group mapping configuration.Configure the Server Profile settings:Select the LDAP Server Profile you just created. Select Enabled (default). |
Click OK.
I started receiving this alert after upgrading to PAN-OS 8.0.4 and even with all lists cleared out I am still seeing this alert every 10 minutes on a PA-200. I thought, well I'm going to be upgrading those to PA-220's anyway but after researching, the limit is the same on those and even the PA-3020's I have. I am not getting alerts from the PA-3020's after upgrading those to PAN-OS 8.0.4.
Anyone else experienced this? Opening a ticket next week but with a lack of any search results on this error I wanted to get one posted for the next guy upgrading a PA-200 to 8.0.x. in a 'group heavy' environment.
09-01-2017 08:36 AM
@Wald wrote:
@bspilde wrote:So, obviously those group include lists are working for you then.(?) You received the threshold alert both before and after setting up the include list?
I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.
I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.
@bspilde wrote:So, obviously those group include lists are working for you then.(?) You received the threshold alert both before and after setting up the include list?
I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.
I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.
The include lists work fine however this appears to be a bug as the documentation says it supports way more groups than the error.
We pretty much have to use include lists since we have over 6000 groups which is above and beyond the specs.
Oh the alerts go away when you use "include lists" because it no longer see a large amount of groups, only the ones you have included.
08-31-2017 11:59 AM
So we had something similar happen while I was at ignite on our 220's however the admins that were still at the office decieded to "fix it" by adding certain groups just assuming that these boxes were too small to handle all of our groups. We have not gone back to look into it so I cannot say "exactly" the error we saw at the time. I will see if I can drum up some sort of test.
08-31-2017 12:14 PM
Here you go @bspilde
This is from a 220 running 8.0.4 code.
User Group count of 6012 exceededs threshold of 1000
08-31-2017 12:20 PM
Awesome, so obviously a problem out there as far as alerts, but for how many customers is it more than just alert noise? Hmm
08-31-2017 12:28 PM
So, obviously those group include lists are working for you then.(?) You received the threshold alert both before and after setting up the include list?
I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.
I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.
08-31-2017 12:38 PM
We haven't moved ours over to the new wildcard style yet, all the groups are defined. Working on it, just moving slowly.
08-31-2017 01:04 PM
@bspilde wrote:So, obviously those group include lists are working for you then.(?) You received the threshold alert both before and after setting up the include list?
I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.
I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.
@bspilde wrote:So, obviously those group include lists are working for you then.(?) You received the threshold alert both before and after setting up the include list?
I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.
I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.
The include lists work fine however this appears to be a bug as the documentation says it supports way more groups than the error.
We pretty much have to use include lists since we have over 6000 groups which is above and beyond the specs.
09-01-2017 08:36 AM
@Wald wrote:
@bspilde wrote:So, obviously those group include lists are working for you then.(?) You received the threshold alert both before and after setting up the include list?
I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.
I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.
@bspilde wrote:So, obviously those group include lists are working for you then.(?) You received the threshold alert both before and after setting up the include list?
I don't have anything on our PA-200 that uses groups so I haven't tested whether or not things work. It seems the list of all groups exists on the firewall so I don't see how the threshold means anything regardless of list settings unless it can't see the members of those groups. I didn't go that far.
I'll dig into local logs just to make sure the others aren't logging and not alerting on that message.
The include lists work fine however this appears to be a bug as the documentation says it supports way more groups than the error.
We pretty much have to use include lists since we have over 6000 groups which is above and beyond the specs.
Oh the alerts go away when you use "include lists" because it no longer see a large amount of groups, only the ones you have included.
09-08-2017 07:47 AM
I'll add to that it only sees the users for the include groups then vs all of the groups. It actually does still show 2,354 user groups from the User-ID agent. The problem isn't really described well anywhere in my opinion. The limitation is having to store all the members of each group over 1000 groups I suspect.
02-12-2018 12:25 PM
I had LDAP settings in a Global template, therefore all the smaller boxes that used this template alert on the group count exeeding the maximum for those models.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
