Group Mapping After Refresh Not Changed

Group Mapping After Refresh Not Changed

Created On 04/18/19 14:19 PM - Last Modified 04/24/19 16:50 PM


A user may add a new group mapping or existing group mapping information in a firewall, which is working fine, but later it shows group mapping on the web interface of the firewall that includes a list not via CLI commands, "show user group name < group name >."

From the firewall web interface, it may show the group mapping includes a list, but from CLI commands, if you try to verify "show user group name < group name >," it will show as if the group name does not exist on the target vsys-1.


All firewalls

– User may not refer or call that group name anywhere in the firewall (Auth profile, Security polices, Global protect) 
– Admin not able to check that the user belongs to that particular group name via CLI "show user group-mapping <group name>" 
– Firewall still holds previous group mapping because of cache 

We have two possible scenarios:

Scenario 1: 
– If the firewall is getting User-IP mapping via User-ID agent, that means you need to verify the below setting:
Device > User-ID > User-ID agent > open agent setting > uncheck the "Use as LDAP Proxy"

           User-added image
Scenario 2: 

– If the firewall is getting mappings via agentless and you are using group mapping for LDAP server profile, execute a CLI commands to verify. To show user group mapping state <all/group-mapping-name <group mapping profile> >
User-added image

– Show user group mapping statistics <all/group-mapping-name <group mapping profile> >
– To verify the group mapping fetching time interval:
User-added image

To confirm the connectivity with LDAP, refresh the group mapping.
>debug user-id refresh group-mapping <all/group-mapping-name <group mapping profile> >
User-added image

After refresh the expected group will be fetched.


Additional Information
After you refresh group mapping, you will get below output: 
User-added image

LDAP Credential Invalid Error occurs after the refresh happens: need to verify:
User-added image

LDAP credentials are not valid, so the group refresh is not successful. But the firewall will hold its previous group mapping information because of the cache.  

  • Print
  • Copy Link

Choose Language