12-11-2015 03:09 AM - edited 07-17-2016 11:04 PM
Dear All,
i have problem in my VPN user Identification (they cannot login to portal) after there's update/change in my AD server group. I already doing this https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Force-User-Group-Mapping-Refresh/... to force user group mapping refresh. It's work to update my User-ID in my policy but my VPN User mapping still not updated untill almost 60 minutes. There is any way to refresh/tunning or Query it faster to update VPN user mapping?
12-11-2015 03:36 AM - edited 12-11-2015 03:39 AM
Hi Gabriel
Have you set an allow list in the authentication profile itself? If not the issue may be a connectivity issue between the firewall and the ldap server instead of group mapping
you can change the group mapping update interval in the group mapping object :
Device > User Identification> Group Mapping Settings > Server Profile > Update Interval
If you're aware a change was made you can also trigger a manual update from the CLI:
> debug user-id refresh group-mapping all
hope this helps
Tom
12-11-2015 08:28 AM - edited 12-11-2015 08:28 AM
@gabriel.simatupang The "Value" threshold of 60-86400 is in seconds I believe. Your request to have the group refreshed more quickly than 60 minutes just means set this value below 3600 seconds, down to as low as 60 seconds. Although, I'm not sure how much of an impact setting the refresh to 60 seconds would have on your firewall.
12-11-2015 08:17 PM
I already tunning update interval to 60 Second and it's works for my user-id group in security policy but somehow it's not working in my user-id group on Global Protect. There is another way ?
12-17-2015 03:21 AM
The group mapping for the security policies and the authentication in GP should be identical, since they both come from the same profile that is updated
Unless ... are you using multiple ldap profiles ? (maybe one is being updated properly and the other isnt)
if you increase debugging and tail the logs during authentication, does anything interesting pop up:
> debug authentication on debug > tail follow yes mp-log authd.log
you can try to take a look at the logging for user-id as well to see if anything might be failing:
> debug user-id on debug > less mp-log authd.log
07-17-2016 11:03 PM
thanks @reaper for your help. but after i open case to tac they said:
Engineering team has decided that this fix will not be added to 7.0 or 7.1 code versions due to the significant design changes involved in the fix. These design changes will be handled in 8.0 releases.
The workaround is to use "all" or individual users in the allow list.
so i must wait PANOS 8 release. Do you have any idea when PANOS 8 release?
07-17-2016 11:57 PM
I would guess, based on previous release timeframes of about 8-10 months between major releases, that PAN-OS 8.0 is likely to appear around the end of this year. But currently there's nothing out yet so I'd advise you to keep checking in regularly. Once 8.0 is about to be released you should see announcements popping up
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
