topic Unable to Apply Group based Security Policy in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-apply-group-based-security-policy/m-p/598960#M3815 <P>Hello Team,</P> <P>&nbsp;</P> <P>We have successfully integrated LDAP with the Palo Alto firewall, and user-ID mapping via the user-ID agent is functioning as expected. We are able to use LDAP users in the security policy without any issues. However, when attempting to apply LDAP groups to the policy, the policy does not seem to work as intended.</P> <P>&nbsp;</P> <P>We have configured the group mapping correctly, and when we check the user list within the group via CLI, it displays accurately.</P> <P>&nbsp;</P> <P>Could you please assist us with your expertise to resolve this issue.</P> Fri, 27 Sep 2024 11:58:19 GMT Mebinbaby 2024-09-27T11:58:19Z Unable to Apply Group based Security Policy https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-apply-group-based-security-policy/m-p/598960#M3815 <P>Hello Team,</P> <P>&nbsp;</P> <P>We have successfully integrated LDAP with the Palo Alto firewall, and user-ID mapping via the user-ID agent is functioning as expected. We are able to use LDAP users in the security policy without any issues. However, when attempting to apply LDAP groups to the policy, the policy does not seem to work as intended.</P> <P>&nbsp;</P> <P>We have configured the group mapping correctly, and when we check the user list within the group via CLI, it displays accurately.</P> <P>&nbsp;</P> <P>Could you please assist us with your expertise to resolve this issue.</P> Fri, 27 Sep 2024 11:58:19 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-apply-group-based-security-policy/m-p/598960#M3815 Mebinbaby 2024-09-27T11:58:19Z Re: Unable to Apply Group based Security Policy https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-apply-group-based-security-policy/m-p/598970#M3816 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/747125303">@Mebinbaby</a> ,</P> <P>&nbsp;</P> <P>The most common reason, by far, for group mappings not to work is that the format of the user name in the IP mapping is different from the format of the username in the group mapping.&nbsp; The username must match exactly.&nbsp; You can run the following commands to verify the format is exactly the same:</P> <P>&nbsp;</P> <LI-CODE lang="markup">&gt; show user ip-user-mapping all &gt; show user group list &gt; show user group name "cn=it_operations,cn=users,dc=al,dc=com"</LI-CODE> <P>&nbsp;</P> <P>Obviously, replace the group name above with the one in question.&nbsp; <span class="lia-unicode-emoji" title=":grinning_face:">😀</span>&nbsp; If there are spaces in the group name, it must be in quotes.</P> <P>&nbsp;</P> <P>If the formats are different, please post and we can look at resolving it.&nbsp; Please also post the source of the User/IP mappings.&nbsp; If the source involves an authentication profile, please post the type.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Fri, 27 Sep 2024 13:06:10 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-apply-group-based-security-policy/m-p/598970#M3816 TomYoung 2024-09-27T13:06:10Z