User Group Count Exceeds Threshold
73562
Created On 03/06/20 00:40 AM - Last Modified 08/01/24 20:34 PM
Symptom
- System logs showing User Group Count of 'xxxx' Exceeds Threshold of 1000
Environment
- PAN-OS 8.x and above
- Palo Alto Firewall
- User-ID Group Mapping
Cause
- Firewall enforces a limit on the number of groups it queries starting from PAN OS 8.x
- Firewall pulls information from all groups of the directory server when there is no group specified under the Included Groups nor there is a group filter for the Group Map Settings
Resolution
- Use the Group Include List to limit policy rules to specific groups:
- Under Group Mapping, select Group Include List tab by going to: Device > User Identification > Group Map Settings.
- Select the Available Groups you want to appear in policy rules and add them to the Included Groups the click on the + sign to move them to the Included Groups.
- Alternatively, filter the groups that the firewall tracks for group mapping by entering a Search Filter (LDAP query) and Object Class (group definition).
- Under Group Mapping, select Server Profile tab by going to: Device > User Identification > Group Map Settings.
- In the Group Objects section, define the Search Filter and the Object Class.
- If you don't have a group readily available in your LDAP Directory, you can use user attributes to create custom groups on the firewall.
- Ensure that attributes used to form custom groups are indexed attributes on the directory.
- If you are using only custom groups from a directory, add an unused group to the Include List to prevent User-ID from retrieving all the groups from the directory.
- Check the validity of the customized filter criteria as well as validity of returned result for custom groups using CLI:
test user-id custom-group group-mapping <group-mapping-name> ldap-filter <filter-criteria>
- Make sure to commit your changes and verify that they took effect using one of below CLI commands:
show user group-mapping statistics show user group list | match Total
which would display the current number of groups. When this value is low, the error message in system log is no longer seen.
Additional Information
- If a custom user group name conflicts with an existing AD group, the custom group takes precedence.
- If include-group-list is configured, it will allow total 640 include groups and custom groups.
- Refer to User-ID Best Practices for Group and Map Users to Group .
- Also check HOW TO USE GROUP FILTERS WHEN CONFIGURING LDAP and LDAP CUSTOM GROUP.
- Check the output of the command CLI
debug user-id dump idmgr type user-group all
look for any discrepancies. If any discrepancies are found, during a maintenance window execute the command:
debug user-id reset user-id-manager type user-group configure commit force
Caution: The command 'debug user-id reset user-id-manager type user-group' is highly disruptive. Its impact is described below:
- User information or user group information is deleted or re-registered.
- There may be policy-related impacts, resulting in a network service disruption.