User Identification Timeout - What to do ?

cancel
Showing results for 
Search instead for 
Did you mean: 

User Identification Timeout - What to do ?

L3 Networker

Dears,

I have Palo Alto consolidated and working fine in my network but sometimes I have to do some changes on AD groups to give some rights to some users...

I am realizing that all changes delays too much to take effect in Palo Alto, I think is because my agent have user identification timeout set to 45 minutes..

In other words Palo ALto delays around 45 minutes to realize any change into AD groups... right ?

I am thinking in decrease that value to 5 minutes... What is the impact having user identification timeout set to 5 minutes ?

ScreenShot128.jpg

All my DC are located inside my network, no remote DCs.

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions

L5 Sessionator

Hello,

User identification timeout is nothing but timeout value for user entries. You might want to change the security log timer.

Thank you.

Subijith Raghunandan.

View solution in original post

8 REPLIES 8

L5 Sessionator

Hello,

User identification timeout is nothing but timeout value for user entries. You might want to change the security log timer.

Thank you.

Subijith Raghunandan.

View solution in original post

Shouldnt a decreased TTL for the various caches slightly increase the load for the mgmtplane?

So, you meant I should keep 45 minutes and focus on security log timer ?

But sec log timer is already set to 1 second....

Right now I am doint tests with my login....

We have a rule allowing social networking for some AD group "social_networking_allowed"...

I have just added my user to that group and till now I am still not able to be allowed to social networks sites...

Is that usual this behavior... whenever I add or take off some user from an AD group that will delay all this time to reflect on PA rules ??

Below my agent config

ScreenShot129.jpg

thanks all

Does the newly added user show up in the PA, please use the following command:- > show user group name (name)  and also paste the following command o/ps  >show user group-mapping statistics and  show user group-mapping state all.

Thanks.

fabio.garcia@XXXXXXXX(active)> show user group name "XXXXXXXXX\redes sociais - allow"

...

[30    ] XXXXXXXX\fabio.garcia

>>>>>> Even after 15 minutes I took off my name from that AD group I am still seeing my name over there...

####################################################

fabio.garcia@XXXXXXXXX(active)> show user group-mapping statistics

Name         Vsys    Groups Last-Action(secs)                Next-Action(secs)

---------------------------------------------------------------------------

XXXXX-XXXXX  vsys1   7      1859 secs ago(took 0 secs)       In 1741 secs <<<<<< ???

>>>> Is that the delay till PA checks again users inside all groups ???

#####################################################

fabio.garcia@XXXXXXX(active)> show user group-mapping state all

Group Mapping(vsys1, type: active-directory): XXXX-XXXXX

        Bind DN    : ...

        Base       : ...

        Group Filter: (None)

        User Filter: (None)

        Servers    : configured 2 servers

                X.X.X.X(389)

                        Last Action Time: 1932 secs ago(took 0 secs)

                        Next Action Time: In 1668 secs  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

                X.X.X.X(389)

I got it....

In GUI

Device > User identification (left menu) > Group Mapping Setings

Clicking at your SERVER configured, then UPDATE INTERVAL I choose 60 (seconds)....

Now I delay maximum of 60 seconds to PA updates list of AD groups (with new users or deleted users)

Thanks!!

That's Great i was about to reply was caught up on a cal, now is this working as expected.

I feel that the default values in the doc mentioned earlier are a bit high - but I guess there is some good reason behind each setting for why its so high.

What are the most aggressive settings that are still fine to use regarding mgmtplane utilization etc?

Because I have a bad feeling that something would break if one select the lowest values for each item like:

Age-out timeout: 1min

User membership timeout: 1min

Security log timer: 1sec

Netbios probing (is the same as for wmi?): 1min

Server session timer: 1sec

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!