Palo Alto Networks devices can optionally utilize users and groups to create security policies. Checking users in LDAP groups lets administrators create access permissions based on group membership.
Device administrators use LDAP groups to provide access based on users, not IP addresses. The User-ID agent (software or hardware) is responsible for getting the IP-user-mappings and the Palo Alto Networks firewall. Based on the LDAP profile, the User-ID agent reads groups from the LDAP server. These mappings are stored in the firewall's IP-user-mappings table, the groups and members of the groups are stored in the group-mappings list.
Find the groups that the Palo Alto Networks firewall is reading from using an LDAP profile by performing the steps below.
The lists for every group can be read using the following CLI command : > show user group list