How to reduce the number of Users or User Groups used in Policies

How to reduce the number of Users or User Groups used in Policies

5082
Created On 07/08/24 17:05 PM - Last Modified 07/10/24 18:51 PM


Objective


  • Check the maximum number of User Groups used in policies supported by the Firewall.
  • Reduce the number of Users and User Groups used in policies of a locally managed Firewall.
  • Reduce the number of Users and User Groups used in policies of a Panorama managed Firewall.

Environment


  • NGFW
  • Users
  • User Groups

Procedure


  1. Check the maximum capacity of User Groups used in policies for your firewall using the Product Selection web page. Click Show More under your platform name to find the maximum Active and unique groups used in policy under the User-ID section.
  2. For locally managed Firewalls,
    1. D​​​​​elete any unused Users and User Groups from the Source > USER tab of the policies. Navigate to POLICIES > Security in the UI.
    2. Delete any unused policies that are using Users and/or User Groups.
    3. When applicable replace a group of individual Users configured in a policy by their User Group.
  3. For Panorama managed Firewall,
    1. D​​​​​elete any unused Users and User Groups from the Source > USER tab of the policies, navigate to UI: Device Groups > POLICIES > Security.
    2. Delete any unused policies that are using Users and/or User Groups.
    3. When applicable replace a group of individual Users configured in a policy by their User Group.
  4. Each user configured as a source User in a policy is counted as a User Group. You can confirm the current number of Users and User Groups in security policies with: 
    show user group-policy-dp all
    It calculates the number of Users and User Groups in running security policies of the data plane.
  5. If, after following the recommendation listed above, you are still unable to reduce the number of User Groups used in policy below the capacity limit of the firewall, then:
    1. For a hardware firewall, consider upgrading to a higher capacity platform.
    2. For a VM-Flex firewall if its running a version lower than 10.2.0, consider upgrading to a version greater than 10.2.0 to take advantage of the increased configuration capacity offered by the Memory Scaling of the VM-Series Firewall Feature. Also consider increasing the firewall memory/RAM to increase the capacity of your VM-Flex firewall.

Additional Information


Notes: To reduce the number of User Groups queried by the firewall refer to User Group Count Exceeds Threshold.
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HDWVCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language