How to configure panorama to pull group mapping information from a managed firewall with the master device
List the steps required to configure panorama to pull group mapping from a managed firewall.
- Palo Alto Firewalls.
- Panorama Appliances
- PAN-OS 8.1 and above.
When the firewall is being managed by Panorama, the user and group mapping list can be pulled to panorama for use in policies. Steps to accomplish the same are listed below:
- On Panorama, "Enable reporting and filtering on groups" using GUI: Panorama > Setup > Management > Panorama Settings
Enable the setting of "Store users and groups from the master device if reporting and filtering of groups is enabled in Panorama settings" under Panorama > Device Groups > (device group name). The example below is for device group name VM-300-197. Note that this setting is only seen when you select a Master Device.
- Commit the changes to Panorama. Now group information of the firewall is seen on Panorama.
- Now the groups can be added in the security policy rules under the "user" tab. Example below.
Configuring Group Mappings on Firewalls using Panorama without the master device.