topic PAN-Agent Multi Domain and Group membership in General Topics https://live.paloaltonetworks.com/t5/general-topics/pan-agent-multi-domain-and-group-membership/m-p/13472#M9875 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We have a forest domain with 2 child domains. Now I have 2 pan agents installed for both domains and it's working well.</P><P></P><P>Now I have the following problem about wich groups to use.</P><P></P><P>I must use 2 global groups to give users access through the firewall. A global Group from domain A and a Global Group from Domain B. So this means I must administer 2 groups in different domains.</P><P></P><P>Normally in AD when you use a Domain Local group then you can put users from different domains in this group.</P><P>I have done that so I have a Domain Local Group with users from Domain A and B and selected this group in the Policy but no success.</P><P></P><P>Is it possible to use a domain Local group witch the User-ID feature?</P><P></P><P>The wish is to administer 1 group instead of 2 groups from both domains.</P><P></P><P>Many Thanks</P><P></P><P>Osman Bor</P></BODY></HTML> Fri, 12 Mar 2010 12:48:14 GMT u2343 2010-03-12T12:48:14Z PAN-Agent Multi Domain and Group membership https://live.paloaltonetworks.com/t5/general-topics/pan-agent-multi-domain-and-group-membership/m-p/13472#M9875 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We have a forest domain with 2 child domains. Now I have 2 pan agents installed for both domains and it's working well.</P><P></P><P>Now I have the following problem about wich groups to use.</P><P></P><P>I must use 2 global groups to give users access through the firewall. A global Group from domain A and a Global Group from Domain B. So this means I must administer 2 groups in different domains.</P><P></P><P>Normally in AD when you use a Domain Local group then you can put users from different domains in this group.</P><P>I have done that so I have a Domain Local Group with users from Domain A and B and selected this group in the Policy but no success.</P><P></P><P>Is it possible to use a domain Local group witch the User-ID feature?</P><P></P><P>The wish is to administer 1 group instead of 2 groups from both domains.</P><P></P><P>Many Thanks</P><P></P><P>Osman Bor</P></BODY></HTML> Fri, 12 Mar 2010 12:48:14 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-agent-multi-domain-and-group-membership/m-p/13472#M9875 u2343 2010-03-12T12:48:14Z Re: PAN-Agent Multi Domain and Group membership https://live.paloaltonetworks.com/t5/general-topics/pan-agent-multi-domain-and-group-membership/m-p/13473#M9876 <HTML><HEAD></HEAD><BODY><P>Hello Osman,</P><P>we may read the users in the domain local group, but we will not create a user to ip mapping for the names that are not part of the domain that the pan agent is configured for.</P><P></P><P></P><P>So using the domain local group with not work as a work around for this.</P></BODY></HTML> Tue, 16 Mar 2010 18:06:14 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-agent-multi-domain-and-group-membership/m-p/13473#M9876 swhyte 2010-03-16T18:06:14Z