Group Mapping After Refresh Not Changed

Group Mapping After Refresh Not Changed

57145
Created On 04/18/19 14:19 PM - Last Modified 04/24/19 16:50 PM


Symptom

A user may add a new group mapping or existing group mapping information in a firewall, which is working fine, but later it shows group mapping on the web interface of the firewall that includes a list not via CLI commands, "show user group name < group name >."

From the firewall web interface, it may show the group mapping includes a list, but from CLI commands, if you try to verify "show user group name < group name >," it will show as if the group name does not exist on the target vsys-1.


 



Environment
All firewalls

Cause
– User may not refer or call that group name anywhere in the firewall (Auth profile, Security polices, Global protect) 
– Admin not able to check that the user belongs to that particular group name via CLI "show user group-mapping <group name>" 
– Firewall still holds previous group mapping because of cache 
 


Resolution
We have two possible scenarios:

Scenario 1: 
– If the firewall is getting User-IP mapping via User-ID agent, that means you need to verify the below setting:
Device > User-ID > User-ID agent > open agent setting > uncheck the "Use as LDAP Proxy"

           User-added image
  
Scenario 2: 

– If the firewall is getting mappings via agentless and you are using group mapping for LDAP server profile, execute a CLI commands to verify. To show user group mapping state <all/group-mapping-name <group mapping profile> >
User-added image

– Show user group mapping statistics <all/group-mapping-name <group mapping profile> >
– To verify the group mapping fetching time interval:
User-added image

To confirm the connectivity with LDAP, refresh the group mapping.
>debug user-id refresh group-mapping <all/group-mapping-name <group mapping profile> >
User-added image

After refresh the expected group will be fetched.

 



Additional Information
After you refresh group mapping, you will get below output: 
User-added image


LDAP Credential Invalid Error occurs after the refresh happens: need to verify:
User-added image

LDAP credentials are not valid, so the group refresh is not successful. But the firewall will hold its previous group mapping information because of the cache.  


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PLey&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language