User Group Count Exceeds threshold

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User Group Count Exceeds threshold

L2 Linker

Recently upgraded to 8.0.9 from 7.1.x with mutiple devices from PA200 up to PA3050, Using UserIdAgent against an MS domain. managed via Panorama.

 

Started getting notifications in thes system log along the lines of 'User Group count of 7492 exceededs threshold of 1000'

 

In UserId -> GroupMapping I have an LDAP search filter that returns only the groups that are relevant to the firewall, 31 in total, & I can see thats correct via "show user group-mapping statistics" so Im guessing that the 7,492 referes to the user-group-mapping information returned from the UserIdAgent in total, ie for all our users there are 7,492 unqiue groups at the moment. I dont appear to be able to filter the information returned by UserIdAgent to just the groups that the firewall needs to know about.

 

The question is should I be worried - I dont seem to have a problem with the user mapping for the 31 groups of interest on the firewall but I would like to get rid of the alert from the logs + there is a certain amount of information leakage in that firewall administrators can see users full group membership from AD via "show user user-ids match-user" when really they should only be concerned with the 31 groups that control firewall permissions.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi the user-ID agent does not collect group information, it only forwards user + ip, groups are collected through the firewalls "group mapping settings"

 

did you add the 31 groups to the "group include list"?

maybe the full set was fetched somehow vefore you completed your configuration, you could try this command to clear out the excess:

> debug user-id clear group all
> debug user-id refresh group-mapping all 
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi the user-ID agent does not collect group information, it only forwards user + ip, groups are collected through the firewalls "group mapping settings"

 

did you add the 31 groups to the "group include list"?

maybe the full set was fetched somehow vefore you completed your configuration, you could try this command to clear out the excess:

> debug user-id clear group all
> debug user-id refresh group-mapping all 
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Interesting !

 

having a spare system to play with, I tried that & it does appear to clear out all the other groups ! thanks !

 

Its not clear to me how they all got there in the first place - but looking at one of our new 820s which started life on PanOs 8, they only have the  31 groups I would expect whilst the older boxes which have been upgrading from the days of 5.x have the full 7,576 so Im guessing you are right - at some point in the past the LDAP lookup has retrieved the whole lot & its never been cleared out since.

 

Thanks.

 

Nick.

Hello to everyone ,

I ran the debug user-id clear group all command.

I get the following error.
Server error: op command for client useridd timed out as client is not available

Model PA-850
Software Version 9.0.5

 

( eventid eq user-group-count ) and ( description contains 'User Group count of 1072 exceeds threshold of 1000' )

Best Regards 

  • 1 accepted solution
  • 17802 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!