Groups do not show up on the CLI and the web UI of the Palo Alto Networks firewall. The LDAP server profile is configured and used for Group Mapping (Device > User Identification > Group Mapping Settings). Proper connectivity to the LDAP server is verified by expanding the groups under the Group Include List:
If a User-ID Agent is configured to be used as an LDAP Proxy (Device > User Identification > User-ID-Agents) and an LDAP server profile is also used, then the groups may not be pulled on the Palo Alto Networks firewall.
Uncheck the "Use as LDAP Proxy" option and perform a commit.
When the commit operation completes, run one of the following commands on the CLI to verify that the groups are being pulled:
> show user group-mapping state all
> show user group-mapping statistics
Note: The User-ID software agent 4.1 and above does not have settings to gather group information within the software agent. To Proxy LDAP group information, configure the LDAP Profile and the Group Mapping settings on the firewall and check the "Use as LDAP Proxy" option.