This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User Identification Timeout - What to do ?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User Identification Timeout - What to do ?

Go to solution
FabioGarcia
L3 Networker

‎09-04-2012 10:54 AM

Dears,

I have Palo Alto consolidated and working fine in my network but sometimes I have to do some changes on AD groups to give some rights to some users...

I am realizing that all changes delays too much to take effect in Palo Alto, I think is because my agent have user identification timeout set to 45 minutes..

In other words Palo ALto delays around 45 minutes to realize any change into AD groups... right ?

I am thinking in decrease that value to 5 minutes... What is the impact having user identification timeout set to 5 minutes ?

ScreenShot128.jpg

All my DC are located inside my network, no remote DCs.

Thanks in advance!

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
sraghunandan
L5 Sessionator

‎09-04-2012 11:28 AM

Hello,

User identification timeout is nothing but timeout value for user entries. You might want to change the security log timer.

Thank you.

Subijith Raghunandan.

View solution in original post

0 Likes Likes
8 REPLIES 8

Go to solution
sraghunandan
L5 Sessionator

‎09-04-2012 11:28 AM

Hello,

User identification timeout is nothing but timeout value for user entries. You might want to change the security log timer.

Thank you.

Subijith Raghunandan.

0 Likes Likes

Go to solution
mikand
L6 Presenter
In response to sraghunandan

‎09-04-2012 11:40 AM

Shouldnt a decreased TTL for the various caches slightly increase the load for the mgmtplane?

Go to solution
FabioGarcia
L3 Networker
In response to sraghunandan

‎09-04-2012 11:45 AM

So, you meant I should keep 45 minutes and focus on security log timer ?

But sec log timer is already set to 1 second....

Right now I am doint tests with my login....

We have a rule allowing social networking for some AD group "social_networking_allowed"...

I have just added my user to that group and till now I am still not able to be allowed to social networks sites...

Is that usual this behavior... whenever I add or take off some user from an AD group that will delay all this time to reflect on PA rules ??

Below my agent config

ScreenShot129.jpg

thanks all

0 Likes Likes

Go to solution
sraghunandan
L5 Sessionator
In response to FabioGarcia

‎09-04-2012 11:56 AM

Does the newly added user show up in the PA, please use the following command:- > show user group name (name)  and also paste the following command o/ps  >show user group-mapping statistics and  show user group-mapping state all.

Thanks.

Go to solution
FabioGarcia
L3 Networker
In response to sraghunandan

‎09-04-2012 12:20 PM

fabio.garcia@XXXXXXXX(active)> show user group name "XXXXXXXXX\redes sociais - allow"

...

[30    ] XXXXXXXX\fabio.garcia

>>>>>> Even after 15 minutes I took off my name from that AD group I am still seeing my name over there...

####################################################

fabio.garcia@XXXXXXXXX(active)> show user group-mapping statistics

Name         Vsys    Groups Last-Action(secs)                Next-Action(secs)

---------------------------------------------------------------------------

XXXXX-XXXXX  vsys1   7      1859 secs ago(took 0 secs)       In 1741 secs <<<<<< ???

>>>> Is that the delay till PA checks again users inside all groups ???

#####################################################

fabio.garcia@XXXXXXX(active)> show user group-mapping state all

Group Mapping(vsys1, type: active-directory): XXXX-XXXXX

        Bind DN    : ...

        Base       : ...

        Group Filter: (None)

        User Filter: (None)

        Servers    : configured 2 servers

                X.X.X.X(389)

                        Last Action Time: 1932 secs ago(took 0 secs)

                        Next Action Time: In 1668 secs  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

                X.X.X.X(389)

0 Likes Likes

Go to solution
FabioGarcia
L3 Networker
In response to FabioGarcia

‎09-04-2012 12:39 PM

I got it....

In GUI

Device > User identification (left menu) > Group Mapping Setings

Clicking at your SERVER configured, then UPDATE INTERVAL I choose 60 (seconds)....

Now I delay maximum of 60 seconds to PA updates list of AD groups (with new users or deleted users)

Thanks!!

Go to solution
sraghunandan
L5 Sessionator
In response to FabioGarcia

‎09-04-2012 12:45 PM

That's Great i was about to reply was caught up on a cal, now is this working as expected.

0 Likes Likes

Go to solution
mikand
L6 Presenter
In response to sraghunandan

‎09-05-2012 01:29 AM

I feel that the default values in the doc mentioned earlier are a bit high - but I guess there is some good reason behind each setting for why its so high.

What are the most aggressive settings that are still fine to use regarding mgmtplane utilization etc?

Because I have a bad feeling that something would break if one select the lowest values for each item like:

Age-out timeout: 1min

User membership timeout: 1min

Security log timer: 1sec

Netbios probing (is the same as for wmi?): 1min

Server session timer: 1sec

0 Likes Likes
  • 1 accepted solution
  • 4655 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks