Group Mapping After Refresh Not Changed
95447
Created On 04/18/19 14:19 PM - Last Modified 04/24/19 16:50 PM
Symptom
A user may add a new group mapping or existing group mapping information in a firewall, which is working fine, but later it shows group mapping on the web interface of the firewall that includes a list not via CLI commands, "show user group name < group name >."
From the firewall web interface, it may show the group mapping includes a list, but from CLI commands, if you try to verify "show user group name < group name >," it will show as if the group name does not exist on the target vsys-1.
Environment
All firewalls
Cause
– User may not refer or call that group name anywhere in the firewall (Auth profile, Security polices, Global protect)
– Admin not able to check that the user belongs to that particular group name via CLI "show user group-mapping <group name>"
– Firewall still holds previous group mapping because of cache
Resolution
We have two possible scenarios:
Scenario 1:
– If the firewall is getting User-IP mapping via User-ID agent, that means you need to verify the below setting:
Device > User-ID > User-ID agent > open agent setting > uncheck the "Use as LDAP Proxy"
Scenario 2:
– If the firewall is getting mappings via agentless and you are using group mapping for LDAP server profile, execute a CLI commands to verify. To show user group mapping state <all/group-mapping-name <group mapping profile> >
– Show user group mapping statistics <all/group-mapping-name <group mapping profile> >
– To verify the group mapping fetching time interval:
To confirm the connectivity with LDAP, refresh the group mapping.
>debug user-id refresh group-mapping <all/group-mapping-name <group mapping profile> >
After refresh the expected group will be fetched.
Additional Information
After you refresh group mapping, you will get below output:
LDAP Credential Invalid Error occurs after the refresh happens: need to verify:
LDAP credentials are not valid, so the group refresh is not successful. But the firewall will hold its previous group mapping information because of the cache.