How to refresh user-group mapping on the firewall

How to refresh user-group mapping on the firewall

15962
Created On 08/22/24 19:47 PM - Last Modified 03/11/25 22:35 PM


Objective


  • Manual refresh can be used for troubleshooting purposes.
  • The following procedure will pick up changes immediately instead of waiting for the next scheduled automatic refresh.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • LDAP Server
  • User-to-Group mapping

Procedure


1. Check the current state of the group mapping and the connection to LDAP servers. By default, the firewall will query the LDAP server every hour to refresh the group mappings. Use commands "show user group-mapping statistics" and "show user group-mapping state all" to confirm the details.

image.png

 

2. Use the command “debug user-id refresh group-mapping all” or “debug user-id refresh group-mapping “group-mapping-name” to refresh the group mapping.

image.png
 

3. The next default refresh action will take place after 3600 seconds. 

 

Additional Information


  • Run the command "show user group list" to confirm the groups downloaded from the LDAP servers.

image.png
 

  • You can run the command “show user group name "and enter the group name as per the below screenshot" to view the mappings per group.


image.png
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HDxCCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language