How to Configure Group Mapping Settings

Printer Friendly Page


The Palo Alto Networks firewall can retrieve user-to-group mapping information from an LDAP server, such as, Active Directory or eDirectory. The data can be retrieved through LDAP queries from the firewall (via agent-less User-ID, introduced in PAN-OS 5.0) or by a User-ID Agent that is configured to proxy the firewall LDAP queries. This document describes how to configure Group Mapping on a Palo Alto Networks firewall.



  1. Configure the LDAP server profile:How to Configure LDAP Server Profile
  2. Configure how groups and users are retrieved from the LDAP directory by creating a new group mapping entry by navigating to the Device > User Identification > Group Mapping Settings tab and click 'Add'. Refer to screenshot below.
    group mapping.png
  3. Enter a Name. For Palo Alto Networks that support multiple virtual system, a drop-down list (Location) will be available to select from.
  4. Specify the LDAP server profile (configured in step 1) in the drop-down list under the Server Profile tab.
    Note: All Attributes and ObjectClasses will be populated based on the directory server type you selected in the “LDAP Server Profile”.
  5. The default update interval for user groups changes is 3600 seconds (1 hour). Enter a value to specify a custom interval.
  6. Go to the Group Include List tab. Leave the include list blank if you want to include ALL groups, or select the groups to be included from the left column that should be mapped.


CLI commands to check the groups retrieved and connection to the LDAP server:

> show user group-mapping state all

> show user group list

> show user group name <group name>


owner: apasupulati



is there an CLI command to force group the synchronization?

great that works for me, thx


Could be that I have to use "user" instead of "person" in "User Objects > Object Class"




when deploy User-ID Agent, the group-mapping is neccesary?

Had this issue that when I select the group in the list instead of showing "DomainName\GroupName" it is showing the whole distinguished name like cn=IT,..... any help?

What happens when a security group is renamed in AD, does the firewall automaticaly update it to reflect group name changes? 

hi @MarekWalczak


No, groups imported through group mapping act like a 'static' object when used in security policies etc, if a group needs to be renamed in AD, you will need to update the mapping on the firewall

Hi @reaper


Thanks for a quick reply - much appreciated. 

Can you confirm that this mean, if the group's name has been changed in AD, and has not been remapped on firewall, if there are 100's of policies that allow or deny based on this group will stop working till we remap the group with new name?


Also, if we remove a group mapping to then add the same one with the new name, will we loose the track of all policies that has been using the previous group mapping name?


Anyone had to deal with this, I appreciate to share your ways to handle it.



hi @Mass


If objects are used that no longer reflect the real world (groups that no longer exist on the AD), policies will no longer match

If you have 100's of policies relying on this group name, it's probably easiest if you edit the XML config file directly (find/replace function in a html editor will work great)


What do you mean exactly by removing a group and then adding it again, with a new name? if you delete a group and add a new group with a different name this will be a new group the firewall does not know yet.

If you delete and recreate a group on the AD with identical features (say, cn=mygroup,ou=groups,dc=mydomain,dc=com) the firewall will identify that as the original group

Thanks, the first part gave me the answer. If group's name beign changes on AD, the XML edit, find and replace with new name will do the trick. I will lab test this.