User-ID Group Mappings Not Working When Located in an OU with Comma or Ampersand
Some of your group mappings do not work on the Palo Alto Networks firewall. The mappings are in the include list. However, they do not show any members when running the show user group name <group name> command or do not appear when running the show user group list command. These groups will not function when used in any security policies.
When browsing to the group, when setting up the include list, the group will not show up:
Or when filtering on the group name, the group name will be blank and the OU hierarchy will be out of order:
Rename the OU to remove any comma or ampersand characters. These characters are used as separators within the LDAP binding string and will cause problems.