AD groups not replicating from template to firewall

AD groups not replicating from template to firewall

260
Created On 07/25/23 18:20 PM - Last Modified 10/31/25 18:14 PM


Symptom


  • List of groups in SAMAccountName format configured on group-mapping include-list on Panorama Template and is pushed to the firewall
Snapshot of the Group mapping include list
  • The firewall successfully shows the group-mapping configuration with the include-list on the web-ui as configured on Panorama
  • Running "show user group list" command from the CLI, we don't see all the groups listed in the include-list

Environment


  • Palo Alto Networks Panorama or Firewall appliance running on PAN-OS 9.1 and higher

Cause


  • Some groups were moved to a different folder on Active Directory
  • The firewall could not retrieve the included group from the groups sent by the AD server 

Resolution


  1. Go to Device > user-id > group mapping 
  2. Open the group mapping you want to modify and go to "Group Include List"
  3. Search the group name in the search bar and compare it with the ones in the included group list
  4. If the groups are in a different location, correct the location on Panorama then commit and push the configuration to the firewall 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kINaCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail