Groups not Pulled on the Palo Alto Networks Firewall after Adding a User-ID Agent

Symptom

Groups do not show up on the CLI and the web UI of the Palo Alto Networks firewall. The LDAP server profile is configured and used for Group Mapping (Device > User Identification > Group Mapping Settings). Proper connectivity to the LDAP server is verified by expanding the groups under the Group Include List:

Cause

If a User-ID Agent is configured to be used as an LDAP Proxy (Device > User Identification > User-ID-Agents) and an LDAP server profile is also used, then the groups may not be pulled on the Palo Alto Networks firewall.

Resolution

Uncheck the "Use as LDAP Proxy" option and perform a commit.

When the commit operation completes, run one of the following commands on the CLI to verify that the groups are being pulled:

• > show user group-mapping state all
• > show user group-mapping statistics

Note: The User-ID software agent 4.1 and above does not have settings to gather group information within the software agent. To Proxy LDAP group information, configure the LDAP Profile and the Group Mapping settings on the firewall and check the "Use as LDAP Proxy" option.

For more information, review this document on Group Mapping  How to Configure Group Mapping settings? and this document on LDAP Profile How to Configure LDAP Server Profile

owner: shasnain