How to validate user/endpoint is fetching which profile from GP Portal Agent configuration.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to validate user/endpoint is fetching which profile from GP Portal Agent configuration.

L1 Bithead

Hello Team, 

 

I have configured multiple agent profiles in the GP Portal and I want to verify which agent profile is currently being fetched by individual user, How do i verify that from the firewall or endpoint?

Context: I have profile 1 which has a limited set of exception users who have some flexibility to switch the portal to add a new portal etc..

-Profile 2 is restrictive where users do not have options like profile -1 and I am controlling this via AD groups.

For users who are complaining and troubleshooting purposes, I am moving individual users to the exception group for the time being. 

After moving to profile 1 and the user being part of exception AD, refreshing the connection multiple times GP from user's machine does not load profile 1.

 

Q:- 1) How do we validate user/endpoint is part of which agent profile?

Q:-2) If refresh connection is not right option to fetch new configur? what is the alternative way?

 

 

2 REPLIES 2

Hi @dramchandani ,

By default Group Mapping refresh AD user groups every 60mins. Which means if you make any changes in the AD groups, firewall will receive this information after one hour (really depending when was the last refresh).

 

You can change this update interval https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/map-users-to-groups Step 2, substep 5

 

In our environment we have changed that interval to 10mins. But if you are impatient you can manually trigger group mapping update and not wait until the next interval

> debug user-id refresh group-mapping all
# Check when is the next update interval
> show user group mapping state all

# List members in AD group to validate if user is present
> show user group name "<group-dn>"

 

Q:-2) If refresh connection is not right option to fetch new configur? what is the alternative way?

A: Refresh config from GP client GUI is the best way to fetch new config. But make sure firewall has AD groups updated

 

Hello @aleksandar.astardzhiev ,

 

Thanks for your response.

I have LDAP timer configured for 20 min. The user is shown in group mapping in the firewall but when user clicks on refresh connection, he doesn't get the updated configuration.

It's not an issue every time, out of 100 iterations that I have tried so far only 40 succeeded in fetching the new configuration and 60 failed to fetch the new configuration though the user is part of the group.

  • 673 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!