Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
User Group Count Exceeds Threshold - Knowledge Base - Palo Alto Networks

User Group Count Exceeds Threshold

73562
Created On 03/06/20 00:40 AM - Last Modified 08/01/24 20:34 PM


Symptom


  • System logs showing User Group Count of 'xxxx' Exceeds Threshold of 1000 


Environment


  • PAN-OS 8.x and above
  • Palo Alto Firewall
  • User-ID Group Mapping


Cause


 

  • Firewall enforces a limit on the number of groups it queries starting from PAN OS 8.x
  • Firewall pulls information from all groups of the directory server when there is no group specified under the Included Groups nor there is a group filter for the Group Map Settings

 



    Resolution


    1. Use the Group Include List to limit policy rules to specific groups:
      1. Under Group Mapping, select Group Include List tab by going to: Device > User Identification > Group Map Settings.
      2. Select the Available Groups you want to appear in policy rules and add them to the Included Groups the click on the + sign to move them to the Included Groups.
    2. Alternatively, filter the groups that the firewall tracks for group mapping by entering a Search Filter (LDAP query) and Object Class (group definition).
      1. Under Group Mapping, select Server Profile tab by going to: Device > User Identification > Group Map Settings.
      2. In the Group Objects section, define the Search Filter and the Object Class.
    3. If you don't have a group readily available in your LDAP Directory, you can use user attributes to create custom groups on the firewall. 
      1. Ensure that attributes used to form custom groups are indexed attributes on the directory.
      2. If you are using only custom groups from a directory, add an unused group to the Include List to prevent User-ID from retrieving all the groups from the directory.
      3. Check the validity of the customized filter criteria as well as validity of returned result for custom groups using CLI:
        test user-id custom-group group-mapping <group-mapping-name> ldap-filter <filter-criteria>
    4. Make sure to commit your changes and verify that they took effect using one of below CLI commands:
      show user group-mapping statistics
      show user group list | match Total
      which would display the current number of groups. When this value is low, the error message in system log is no longer seen.
       


    Additional Information


    look for any discrepancies. If any discrepancies are found, during a maintenance window execute the command:

    debug user-id reset user-id-manager type user-group
    configure
    commit force

    Caution: The command 'debug user-id reset user-id-manager type user-group' is highly disruptive. Its impact is described below:

    - User information or user group information is deleted or re-registered.
    - There may be policy-related impacts, resulting in a network service disruption.


    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POxU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language