Is User IP-mapping required for group-based policies

Is user IP-mapping required for the user group-based policy to work?

• User-ID
• Group-Mapping
• Group-based Policies

Yes

The firewall requires the user IP-mapping to exist on the firewall for a group based policy to work.

With the user IP-mapping available, the firewall can properly identify the user and the groups they belong to, and then it can be used to match the policies.

If there is a user mapping on the firewall, the output will look like the below, identifying the groups the user belongs to

admin@tac-PA-VM-1> show user ip-user-mapping ip 192.168.100.50

IP address:    192.168.100.50 (vsys1)
User:          taclab\test-user
From:          AD
Idle Timeout:  2331s
Max. TTL:      2331s
HIP Query:     Disabled
Group(s):      taclab\test-user(25)
               cn=users,cn=builtin,dc=taclab,dc=com(2147483666)
               cn=domain users,cn=users,dc=taclab,dc=com(2147483720)
               cn=pan-engineers,cn=users,dc=taclab,dc=com(2147483756)

To enable user- and group-based policy enforcement, the firewall requires a list of all available users and their corresponding group memberships so that you can select groups when defining your policy rules. 

Reference here for on user-id