USER_ID group policy for Palo Alto Firewall

USER_ID group policy for Palo Alto Firewall

We have a Palo Alot Firewall running PAN OS 7.1 that wil allow us to create polices for an individual user, but not for a user group using LDAP groups. This is strange because we have this abilty provisioned and working in one of our networks, but it is not working on this one network. We have worked with the Sys Admin to ensure we have the proper setting for our AD. Throwing this out to the community to see if anyone else has had this issue before. Thanks for your feed back.



Is the network in which you have it provisioned and functioning correctly running through that same PAN fw and are the AD users/groups on the same domain?

Hello Ken,

Im Jerry, I have never run into this but there are a few things we can check. Has it ever worked, or is this a new deployment? Are both PANs running the same code 7.1.x?

To test, can you pull an LDAP group from another AD domain? Do you get any error messages when you try to create the group?

You can check the configuration logs, monitor>logs>configuration to see if there are any entries concerning the attemped configuration changes.


Hi Kenny,

It does sound strange. have you exprienced that? May be our other experts have seen that before...


Disclaimer: I don't have any experience with Palo also firewalls.

Does this only happen with nested groups? Can you see anything in the Active Directory security event logs?


Have you confirmed that the User-ID Agent is getting user groups to the firewall?

pa-5060> show user group-mapping state LDAP_Group_Mapping_Name

This one shows members of a specific group that you are attempting to use

pa-5060> show user group name X

In the GUI if your LDAP is mapped correctly you should be able to open User Identification under Device tab, select Group Mapping Settings, and then select your LDAP group mapping object name. On the Group Include List you can confirm easily if LDAP is working as it you will be able to navigate all the OU structure. See there also if you are specifying Included Groups or custom groups.

You mentioned individual user account works so I would assume, the service ports needed for user-ID communication is already set-up. I'm thinking it's just a matter of ticking some checkbox on the firewall. To verify if a firewall can map to group accounts, you can use this CLI command:

> show user group

If all is configured properly you should see all AD groups that the firewall can see. If there something is wrong, usually the output will be 0 groups.

Group map settings on the firewall is located on the device tab> user identification> group map settings

The simplest way to go is to just copy whatever there is on your working environment. Most of the time when I stumble into this issue, it is just a case of having the 'enabled' checkbox on the group map settings unchecked so please ensure that is enabled.