Palo Alto Networks Knowledgebase: Configuring Group Include List on M-100/Panorama for Managed Devices
Configuring Group Include List on M-100/Panorama for Managed Devices
Created On 02/07/19 23:54 PM - Last Updated 02/07/19 23:54 PM
Cortex Data Lake
When configuring a template on the M-100/Panorama, the UI for Group Include List does not display a list of available groups to select from.
On the Palo Alto Networks firewall, the group mapping list can be pulled directly once the LDAP Profile has been configured:
However, when configuring templates on the Panorama/M-100 for the Group Mapping Include list, the available groups are not displayed.
Instead, the groups for the Group Include List must be manually added using the correct syntax:
Available Groups are not visible as Panorama is not equipped with pulling the User-Group info directly from the LDAP Active Directory.
The User-ID information is pulled up on the Panorama using Master Device in the device group.
Under template the administrator will have to manually configure LDAP settings and push to the device. It will not self populate. Administrator will need base and bind information handy before configuring. When pushing those templates to device and information is correct, then Panorama will be able to pull group information. Group mapping settings templates are different on Panorama and device by design. While pushing it as a template, Administrator will need to have group information ready. Once it is pushed to the device, the group information will appear in same format as device's group mapping setting.