Active Directory Groups in Panorama Rules

Printer Friendly Page


Active Directory (AD) groups can be used in the security rules, but Panorama does not have a User-ID feature. In Panorama 4.1 and later, the groups to be used in the Security Policy are pulled from the master device.



  1. Go to the Panorama > Device Groups and select Master Device.
    Master device -1.JPGMaster device 2.JPG
  2. Click OK to commit and check in Security Policy.
    The following screenshot shows an example of the Active Directory groups pulled from the Master Device and available for selection in the Security Policy rule on Panorama:


owner: bpappas

Tags (7)

What is the Master Device in this scenario?  On my actual firewalls, I can see the userid information and the group window shows groups available, but because it's pushed as a template, I would have to override to add groups to the 'included group list'. Do I have to do this on every PA?  Wouldn't it make more sense with templates for Panorama to actually get that list in the template itself so we can do the included groups and push those through the template to the devices?  Then it would also allow those to be used in the policies.

You select which firewall you want to be the "master device" on the group creation screen.

Panorama tab > Device Groups

Edit your group


Hi Steven,

Thank you for that. When I looked at it, I realised our Master device had somehow gotten confused and was listed as a sn/vsys1 instead of the named device. I suspect it occurred when we went through recently and rebuilt everything to use templates under version 6. Ok, so that answers that question and probably explains why I wasn't seeing anything come through.

I guess I still am uncertain about the other part though. It makes sense that if I override the template on the Master and shift some groups to the included groups list, they should then be available for policies in Panorama. I'm guessing that I'll still need to override the template on the other PA's as well to include the same groups though. If that's the answer, that's what I'll do, but we shifted to the templates because we actually liked that we can make the changes on Pan and have them just push down through the devices, even if we change/add/delete an AD server or change an account password for LDAP, etc.



If there are overlaps with local configurations, then you will need to turn on the override for the Panorama push.  I like having all the common settings in the templates it does make updates easier.

Is there a way which is making a backup device?

I want to know a workaround if a master device power down.

Is there only manual changing way?


KC Lee

Currently you can only manually assign the master device status.

Thanks for your answer :smileyhappy:

Just to add here about adding new LDAP groups to the "group include list" if you are using Templates.


First, you need to override the template setting locally on your "master device" group mapping entry. Search for your new LDAP group and add it to the "Included Groups" and commit.


Now back in Panorama you can select this new group in your Device Group rulebase. 


However, in your template under "User Identification->Group Mapping" you will have to manually paste the new group into the Include List here, so for me this is where this process breaks down.


May as well just paste it in to begin with and save yourself the effort.

Some additional information regarding using User-ID in Panorama (PANos 7.1) for device group security policy rules:

1.  If you want to use a group you need to use the "short name" of the group, not the actual group name.  You can find the short name locally on a firewall using the "show user group list" and then the "show user group name <group name>" commands:


admin@FW1(active)> show user group list | match network


cn=network access,ou=exchange,ou=groups,dc=corp"

admin@FW1(active)> show user group name "cn=network access,ou=exchange,ou=groups,dc=corp"

short name:  corp\network access
source type: ldap
source:      USER-ID_AD-groups

[1     ] corp\jane_able



2.  If you do not have a Master Device specified you can still manually add usernames and group names to a security policy rule.  There is no drop down, but you can manually type in the name, such as "corp\jane_able" or "corp\network access". 


3.  Remember the Master Device is assigned per Device Group, not globally for Panorama, so each policy device group needs a Master Device assigned, or you can only manually add the usernames or groups to rules.