Up to PAN-OS version 3.1.3, the refresh time for the firewall to update the user to group membership could be configured only to a minimum value of 10 minutes in the firewall. This configuration relates to the communication between the firewall and the User Identification Agent, where the firewall gets this information for users and groups. The parameter that controlled this behavior was defined under the User-ID definition in the firewall, and it was called "Link Speed". The only three values that this parameter accepted was "Fast", "Medium" and "Slow". "Fast" was the minimum update value, and stated for 10 minutes. Starting with PAN-OS version 3.1.4 you get user-group membership updated in the firewall with a minimum interval of 1 minute. I’ve tried different options, like changing a user from one group to another, deleting the user from one group, or adding a user to several groups. In all the cases the firewall gets the update in the expected interval of 1 minute, without any problem. In order to configure it properly, you need to set up the appropriate timeouts, both in the agent and in the firewall. The minimum values are 1 minute on each side. In the agent the parameter is called “User Membership Timer (min.)”. Following you have a screenshot with this timeout configured to 1 minute (minimum allowed value). In the firewall, you have a new field called “Group Timer”, that substitutes the old “Link Speed” under the UIA configuration. Here you have to configure also 1 minute (note that it’s in seconds, therefore you have to put 60 seconds. The legend is wrong, and the minimum value is not 1 second, but 60 seconds. Next minor release will solve this cosmetic issue): Hope you find it useful.
... View more