This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to validate user/endpoint is fetching which profile from GP Portal Agent configuration.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to validate user/endpoint is fetching which profile from GP Portal Agent configuration.

dramchandani
L1 Bithead

‎12-13-2023 06:47 PM

Hello Team, 

 

I have configured multiple agent profiles in the GP Portal and I want to verify which agent profile is currently being fetched by individual user, How do i verify that from the firewall or endpoint?

Context: I have profile 1 which has a limited set of exception users who have some flexibility to switch the portal to add a new portal etc..

-Profile 2 is restrictive where users do not have options like profile -1 and I am controlling this via AD groups.

For users who are complaining and troubleshooting purposes, I am moving individual users to the exception group for the time being. 

After moving to profile 1 and the user being part of exception AD, refreshing the connection multiple times GP from user's machine does not load profile 1.

 

Q:- 1) How do we validate user/endpoint is part of which agent profile?

Q:-2) If refresh connection is not right option to fetch new configur? what is the alternative way?

 

 

0 Likes Likes
2 REPLIES 2

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎12-20-2023 08:48 AM

Hi @dramchandani ,

By default Group Mapping refresh AD user groups every 60mins. Which means if you make any changes in the AD groups, firewall will receive this information after one hour (really depending when was the last refresh).

 

You can change this update interval https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/map-users-to-groups Step 2, substep 5

 

In our environment we have changed that interval to 10mins. But if you are impatient you can manually trigger group mapping update and not wait until the next interval

> debug user-id refresh group-mapping all
# Check when is the next update interval
> show user group mapping state all

# List members in AD group to validate if user is present
> show user group name "<group-dn>"

 

Q:-2) If refresh connection is not right option to fetch new configur? what is the alternative way?

A: Refresh config from GP client GUI is the best way to fetch new config. But make sure firewall has AD groups updated

 

0 Likes Likes

dramchandani
L1 Bithead
In response to aleksandar.astardzhiev

‎12-21-2023 11:25 AM

Hello @aleksandar.astardzhiev ,

 

Thanks for your response.

I have LDAP timer configured for 20 min. The user is shown in group mapping in the firewall but when user clicks on refresh connection, he doesn't get the updated configuration.

It's not an issue every time, out of 100 iterations that I have tried so far only 40 succeeded in fetching the new configuration and 60 failed to fetch the new configuration though the user is part of the group.

0 Likes Likes
  • 468 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks