User Group Count Exceeds Threshold
Created On 03/06/20 00:40 AM - Last Modified 08/15/22 23:42 PM
- System logs showing User Group Count of 'xxxx' Exceeds Threshold of 1000
- PAN-OS 8.x and above
- Palo Alto Firewall
- User-ID Group Mapping
- Firewall enforces a limit on the number of groups it queries starting from PAN OS 8.x
- Firewall pulls information from all groups of the directory server when there is no group specified under the Included Groups nor there is a group filter for the Group Map Settings
- Use the Group Include List to limit policy rules to specific groups:
- Under Group Mapping, select Group Include List tab by going to: Device > User Identification > Group Map Settings.
- Select the Available Groups you want to appear in policy rules and add them to the Included Groups the click on the + sign to move them to the Included Groups.
- Alternatively, filter the groups that the firewall tracks for group mapping by entering a Search Filter (LDAP query) and Object Class (group definition).
- Under Group Mapping, select Server Profile tab by going to: Device > User Identification > Group Map Settings.
- In the Group Objects section, define the Search Filter and the Object Class.
- If you don't have a group readily available in your LDAP Directory, you can use user attributes to create custom groups on the firewall.
- Ensure that attributes used to form custom groups are indexed attributes on the directory.
- If you are using only custom groups from a directory, add an unused group to the Include List to prevent User-ID from retrieving all the groups from the directory.
- Check the validity of the customized filter criteria as well as validity of returned result for custom groups using CLI:
test user-id custom-group group-mapping <group-mapping-name> ldap-filter <filter-criteria>
- Make sure to commit your changes and verify that they took effect using one of below CLI commands:
show user group-mapping statistics show user group list | match Totalwhich would display the current number of groups. When this value is low, the error message in system log is no longer seen.
- If a custom user group name conflicts with an existing AD group, the custom group takes precedence.
- If include-group-list is configured, it will allow total 640 include groups and custom groups.
- Refer to User-ID Best Practices for Group and Map Users to Group .
- Also check HOW TO USE GROUP FILTERS WHEN CONFIGURING LDAP and LDAP CUSTOM GROUP.