Nested User Groups in User-ID
37999
Created On 09/25/18 19:38 PM - Last Modified 11/21/20 03:47 AM
Environment
- Any PAN-OS.
- Palo Alto Firewall.
- User ID configured.
Resolution
Overview
When using nested user groups, the Palo Alto Networks firewall will be able to return all users within the main group, along with all users within the nested group(s).
For example, if the "top_level_group" contains two nested groups: "nested_group_1", and "nested_group2". All queries to the top_level_group from the firewall will be able to pull back users in the nested groups as well. A security policy can be configured with the "top_level_group", and users from the "nested_group_1" and "nested_group_2" will also be included.
Verification
The CLI command "show user group name xxx" can be used to display the users within the group.
The output shows that the "top_level_group" contains users from the "nested_group_1" and "nested_group_2".
> show user group name "cn=top_level_group,cn=users,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com"
short name: pantac2012\top_level_group
source type: service
source: panlab2012
[1] pantac2012\panuser1
[2] pantac2012\panuser2
[3] pantac2012\panuser3
[4] pantac2012\panuser10
[5] pantac2012\panuser11
[6] pantac2012\panuser12
> show user group name "cn=nested_group_1,cn=users,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com"
short name: pantac2012\nested_group_1
source type: service
source: panlab2012
[1] pantac2012\panuser1
[2] pantac2012\panuser2
[3] pantac2012\panuser3
> show user group name "cn=nested_group_2,cn=users,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com"
short name: pantac2012\nested_group_2
source type: service
source: panlab2012
[1] pantac2012\panuser10
[2] pantac2012\panuser11
[3] pantac2012\panuser12
Additional Information
Retrieving AD groups fails - nested-group-level exceeds limit