User Authentication Profile update for VPN User-ID mapping PANOS 7.0.x

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User Authentication Profile update for VPN User-ID mapping PANOS 7.0.x

Dear All,

 

i have problem in my VPN user Identification (they cannot login to portal) after there's update/change in my AD server group. I already doing this https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Force-User-Group-Mapping-Refresh/... to force user group mapping refresh. It's work to update my User-ID in my policy but my VPN User mapping still not updated untill almost 60 minutes. There is any way to refresh/tunning or Query it faster to update VPN user mapping?

 

6 REPLIES 6

Cyber Elite
Cyber Elite

Hi Gabriel

 

Have you set an allow list in the authentication profile itself? If not the issue may be a connectivity issue between the firewall and the ldap server instead of group mapping

 

you can change the group mapping update interval in the group mapping object :

 

Device > User Identification> Group Mapping Settings > Server Profile > Update Interval

 

group mapping

 

If you're aware a change was made you can also trigger a manual update from the CLI:

> debug user-id refresh group-mapping all

 

hope this helps

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L6 Presenter

@gabriel.simatupang The "Value" threshold of 60-86400 is in seconds I believe.  Your request to have the group refreshed more quickly than 60 minutes just means set this value below 3600 seconds, down to as low as 60 seconds.  Although, I'm not sure how much of an impact setting the refresh to 60 seconds would have on your firewall.

I already tunning update interval to 60 Second and it's works for my user-id group in security policy but somehow it's not working in my user-id group on Global Protect. There is another way ?

The group mapping for the security policies and the authentication in GP should be identical, since they both come from the same profile that is updated

Unless ... are you using multiple ldap profiles ? (maybe one is being updated properly and the other isnt)

 

 

if you increase debugging and tail the logs during authentication, does anything interesting pop up:

> debug authentication on debug
> tail follow yes mp-log authd.log

you can try to take a look at the logging for user-id as well to see if anything might be failing:

> debug user-id on debug
> less mp-log authd.log

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

thanks @reaper for your help. but after i open case to tac they said:

 

Engineering team has decided that this fix will not be added to 7.0 or 7.1 code versions due to the significant design changes involved in the fix. These design changes will be handled in 8.0 releases.

The workaround is to use "all" or individual users in the allow list.

 

so i must wait PANOS 8 release. Do you have any idea when PANOS 8 release?

I would guess, based on previous release timeframes of about 8-10 months between major releases, that PAN-OS 8.0 is likely to appear around the end of this year. But currently there's nothing out yet so I'd advise you to keep checking in regularly. Once 8.0 is about to be released you should see announcements popping up

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 7525 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!