Created On 09/25/18 19:03 PM - Last Modified 02/07/19 23:50 PM
Beginning with PAN-OS version 7.0, a new feature allows firewall administrators to create a custom LDAP group, which is defined by a search filter based on attributes. This feature eliminates having to involve the AD administrator in creating specific user groups. These custom LDAP groups can then be utilized in the firewall security policy.
Now, by using the relevant attributes to filter out users, adding or changing user groups in AD is no longer necessary (a process frequently unavailable to firewall administrators).
The configuration is found under Device > User Identification > Group Mapping Settings, as seen in the example below :
If a custom user group name conflicts with an existing AD group, then the custom group takes precedence!
After you define your groups list, you can use the following command to confirm that the new group exists. Note that the asterisk marks Custom Groups.