A security policy configured with group matching from Active Directory (AD) on a Palo Alto Networks device stops working after making modifications to the domain.
Details
The security policy on the Palo Alto Networks device uses the Distinguished Name (DN) in AD to match user groups. If the device cannot find the group that is used in the policy and the policy has not been updated accordingly, the GUI will display a user icon in front of the group name instead of the normal group icon. This indicates that the Palo Alto Networks device is seeing the input value as a user and not a group. Events in Active Directory that can cause the symptom include the deletion of the group or a change in the DN path.
Resolution
To resolve this issue, remove the group from security policy and then reselect it from the drop-down list. The drop-down list will contain group names with current and valid DN paths retrieved from AD.