Group Mapping After Refresh Not Changed

A user may add a new group mapping or existing group mapping information in a firewall, which is working fine, but later it shows group mapping on the web interface of the firewall that includes a list not via CLI commands, "show user group name <group name>".

From the firewall web interface, it may show the group mapping includes a list, but from CLI commands, if you try to verify "show user group name <group name>". It will show as if the group name does not exist on the target vsys-1.


 

• NGFW
• Supported PANOS
• LDAP Group Mapping

• User may not refer or call that group name anywhere in the firewall (Auth profile, Security polices, Global protect)
• Admin not able to check that the user belongs to that particular group name via CLI "show user group-mapping <group name>"
• Firewall still holds previous group mapping because of cache 
   

We have two possible scenarios:

Scenario 1:
If the firewall is getting User-IP mapping via User-ID agent, that means you need to verify the below setting:
Device > User-ID > User-ID agent > open agent setting > uncheck the "Use as LDAP Proxy"

           
  
Scenario 2: 
If the firewall is getting mappings via agentless and you are using group mapping for LDAP server profile, execute a CLI commands to verify. To show user group mapping state <all/group-mapping-name <group mapping profile> >


Show user group mapping statistics <all/group-mapping-name <group mapping profile> >
To verify the group mapping fetching time interval:


To confirm the connectivity with LDAP, refresh the group mapping.
>debug user-id refresh group-mapping <all/group-mapping-name <group mapping profile> >


After refresh the expected group will be fetched.