Configuring Group Mappings on Firewalls using Panorama without the master device.

Configuring Group Mappings on Firewalls using Panorama without the master device.

Created On 09/25/18 17:41 PM - Last Modified 11/17/20 20:49 PM


  • PAN-OS 8.1 and above.
  • Any Panorama.
  • Group mapping Settings.



This document describes how to configure and push LDAP and Group Mapping Settings from Panorama to the managed Palo Alto Networks firewalls.



Panorama does not have the ability to list the LDAP groups and cannot select which groups to add to the list, but is possible on the Palo Alto Networks device. Therefore, the following steps will use a combination of Panorama and the device to achieve the desired scenario:

  • Create the LDAP profile configuration on Panorama and push that profile to the device
  • Create a Group Mapping Settings on Panorama, which will filter the needed groups and push that configuration to the device


  1. On Panorama, go to Device > Server Profiles > LDAP Server Profile and create the LDAP Profile. Use the known parameters for the desired LDAP server.
    Screen Shot 2014-04-19 at 8.32.11 PM.png
  2. Commit the configuration to Panorama and push the Template configuration down to one managed device.
    Screen Shot 2014-04-19 at 8.43.56 PM.png
  3. After Commit is completed, check the device to see if the LDAP profile is shown:
    Screen Shot 2014-04-19 at 8.37.26 PM.png
  4. Go to Device > User Identification > Group Mapping Settings and generate a new Group Mapping Profile. During the process, select the LDAP Server Profile that was pushed from Panorama.
    Screen Shot 2014-04-19 at 8.39.37 PM.png
  5. In the Group Include List, add the groups needed that will be used on the firewalls for different reasons, (for example, creating security policies or allowing GlobalProtect access for users). Copy the groups Distinguished Names for the groups needed in a list as listed below:
    Screen Shot 2014-04-19 at 8.51.19 PM.png
    Cancel the creation of the Group Mapping on the device. The list will be pushed again from Panorama.
  6. Paste the group names in the Group Include List under the Group Mapping on Panorama:
    Screen Shot 2014-04-19 at 8.53.28 PM.png
  7. Commit the configuration change on Panorama and push down the template to the devices:
    Screen Shot 2014-04-19 at 9.02.11 PM.png
  8. Verify that the Group Mapping Settings is pushed down to the device:
    Screen Shot 2014-04-19 at 9.02.55 PM.png
  9. Verify that the groups are listed in the Group Mappings Include List:
    Screen Shot 2014-04-19 at 9.03.21 PM.png
  10. Based on the pushed groups from Panorama, create security rules on the firewalls or allow GlobalProtect users from those groups to connect:
  • For example, Security Policy:
    Screen Shot 2014-04-19 at 9.04.30 PM.png-
  • For example, GlobalProtect Portal:
    Screen Shot 2014-04-19 at 9.06.56 PM.png
    From this point on, any new device that uses the same template configuration, will have the LDAP and the Group Mapping Settings already preconfigured.

    The firewall administrators has the option to override the Group Included List in the Group Mapping and add locally significant groups by selecting them from the LDAP profile, (in this case that is the "al\vpn_users").

    Screen Shot 2014-04-19 at 9.39.00 PM.png


Additional Information

To configure the same with the Master device, Refer to the article How to configure panorama to pull group mapping information from a managed firewall with the master device.

Note: Using the master device will pull the group mapping information into Panorama.

  • Print
  • Copy Link

Choose Language