06-01-2018 01:50 AM
Recently upgraded to 8.0.9 from 7.1.x with mutiple devices from PA200 up to PA3050, Using UserIdAgent against an MS domain. managed via Panorama.
Started getting notifications in thes system log along the lines of 'User Group count of 7492 exceededs threshold of 1000'
In UserId -> GroupMapping I have an LDAP search filter that returns only the groups that are relevant to the firewall, 31 in total, & I can see thats correct via "show user group-mapping statistics" so Im guessing that the 7,492 referes to the user-group-mapping information returned from the UserIdAgent in total, ie for all our users there are 7,492 unqiue groups at the moment. I dont appear to be able to filter the information returned by UserIdAgent to just the groups that the firewall needs to know about.
The question is should I be worried - I dont seem to have a problem with the user mapping for the 31 groups of interest on the firewall but I would like to get rid of the alert from the logs + there is a certain amount of information leakage in that firewall administrators can see users full group membership from AD via "show user user-ids match-user" when really they should only be concerned with the 31 groups that control firewall permissions.
06-01-2018 05:55 AM
Hi the user-ID agent does not collect group information, it only forwards user + ip, groups are collected through the firewalls "group mapping settings"
did you add the 31 groups to the "group include list"?
maybe the full set was fetched somehow vefore you completed your configuration, you could try this command to clear out the excess:
> debug user-id clear group all > debug user-id refresh group-mapping all
06-01-2018 05:55 AM
Hi the user-ID agent does not collect group information, it only forwards user + ip, groups are collected through the firewalls "group mapping settings"
did you add the 31 groups to the "group include list"?
maybe the full set was fetched somehow vefore you completed your configuration, you could try this command to clear out the excess:
> debug user-id clear group all > debug user-id refresh group-mapping all
06-01-2018 06:22 AM
Interesting !
having a spare system to play with, I tried that & it does appear to clear out all the other groups ! thanks !
Its not clear to me how they all got there in the first place - but looking at one of our new 820s which started life on PanOs 8, they only have the 31 groups I would expect whilst the older boxes which have been upgrading from the days of 5.x have the full 7,576 so Im guessing you are right - at some point in the past the LDAP lookup has retrieved the whole lot & its never been cleared out since.
Thanks.
Nick.
02-06-2020 02:00 AM
Hello to everyone ,
I ran the debug user-id clear group all command.
I get the following error.
Server error: op command for client useridd timed out as client is not available
Model PA-850
Software Version 9.0.5
( eventid eq user-group-count ) and ( description contains 'User Group count of 1072 exceeds threshold of 1000' )
Best Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
