User Group Count Exceeds Threshold

• System logs showing User Group Count of 'xxxx' Exceeds Threshold of 1000 

• PAN-OS 8.x and above
• Palo Alto Firewall
• User-ID Group Mapping

• Firewall enforces a limit on the number of groups it queries starting from PAN OS 8.x
• Firewall pulls information from all groups of the directory server when there is no group specified under the Included Groups nor there is a group filter for the Group Map Settings

1. Use the Group Include List to limit policy rules to specific groups:
   1. Under Group Mapping, select Group Include List tab by going to: Device > User Identification > Group Map Settings.
   2. Select the Available Groups you want to appear in policy rules and add them to the Included Groups the click on the + sign to move them to the Included Groups.
2. Alternatively, filter the groups that the firewall tracks for group mapping by entering a Search Filter (LDAP query) and Object Class (group definition).
   1. Under Group Mapping, select Server Profile tab by going to: Device > User Identification > Group Map Settings.
   2. In the Group Objects section, define the Search Filter and the Object Class.
3. If you don't have a group readily available in your LDAP Directory, you can use user attributes to create custom groups on the firewall. 
   1. Ensure that attributes used to form custom groups are indexed attributes on the directory.
   2. If you are using only custom groups from a directory, add an unused group to the Include List to prevent User-ID from retrieving all the groups from the directory.
   3. Check the validity of the customized filter criteria as well as validity of returned result for custom groups using CLI:

      test user-id custom-group group-mapping <group-mapping-name> ldap-filter <filter-criteria>

4. Make sure to commit your changes and verify that they took effect using one of below CLI commands:

   show user group-mapping statistics
   show user group list | match Total

   which would display the current number of groups. When this value is low, the error message in system log is no longer seen.
    

• If a custom user group name conflicts with an existing AD group, the custom group takes precedence.
• If include-group-list is configured, it will allow total 640 include groups and custom groups.
• Refer to User-ID Best Practices for Group and Map Users to Group .
• Also check HOW TO USE GROUP FILTERS WHEN CONFIGURING LDAP and LDAP CUSTOM GROUP.
• Check the output of the command CLI 

  debug user-id dump idmgr type user-group all

look for any discrepancies. If any discrepancies are found, during a maintenance window execute the command:

debug user-id reset user-id-manager type user-group
configure
commit force

Caution: The command 'debug user-id reset user-id-manager type user-group' is highly disruptive. Its impact is described below: