- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
User Group limits on firewall
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- User Group limits on firewall
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
User Group limits on firewall
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-05-2021 06:41 PM - edited 04-05-2021 09:25 PM
Hello,
Recently I got error below on PA 850 device(8.1.13)
-User Group count of 1098 exceeds threshold of 1000
The log is straight forward, number of group is exceeding the limit, but I have some question.
1. I have one more device,PA-3220, which look same LDAP for group mapping(same configuration).
I found article about this and it says FW has limitation for user group above 8.x and it's on all FW.
But there is no same log on 3220, even it has same number of group,1098.
Is the limit different via devices?
2. The log says number of group exceeding the limit, but FW still holds over 1000 user group.
active)> show user group list | match Total
Total: 1098
Is this log just alert? I don't know how FW can hold more than 1000 group if there is limit.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-06-2021 01:32 AM
Hi @yhlee1 ,
Yes, each platform has its own limits.
You can make the comparison on this page:
https://www.paloaltonetworks.com/products/product-comparison?chosen=pa-3220,pa-850
In this particular example you'll notice that the PA-850 can have 1000 active and unique groups in policy, compared to the PA-3220 which can have 10,000 (aggregate of LDAP groups, dynamic user groups and XML API groups).
Hope this helps,
-Kiwi.
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!
- Change IP MGT Firewall conect to Panorama in General Topics
- MS Active Directory Security Group Changes Not Applying over VPN w/ prelogon in General Topics
- What privileges required by service account used by palo alto firewall in LDAP server profile to fetch group information from LDAP server in General Topics
- Panorama Template Push to Firewall always fails, unless you push Device Group at the same time in Panorama Discussions
- Panorama logs - using local Panorama VM disk for logging - unable to view logs from firewalls prior to 00:29 in Panorama Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
