Access problems via Globalprotect with AD group.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Access problems via Globalprotect with AD group.

L2 Linker

Hello everyone,

I am relatively new to Palo Alto solutions and I face a problem that has been going on for over a week. Could anyone help me?


This is the scenario:
- I have gateways 01 and 02 for the GlobalProtect.
- AD groups called Grupo1 and Grupo2.
- Test user named Fred.


When user Fred is in Group1 he has normal access to the environment through the two gateways.
When that same user is in Group2 he has normal access only through gateways 01. If you use 02 he does not access anything.

I reviewed the LDAP settings but did not find any unique references to the groups I have.

What can I not be seeing?



L7 Applicator

the group settings can be found in Device\User Identification\Group Mapping\Group include



and try the following...

on both gateways enter via cli...


show user group list


and compare to ensure you are checking the same groups.


then on both gateways enter..


show user group name  " enter group name from above here"


do this for both groups and check to see all members are displayed for both gateways,

What do you mean "on both gateways enter via cli ..."? I must have explained it wrong, the GP gateways are related to internet links. I can access the VPN via the IP of one provider or the IP of another provider.


The command "show user group list" showed me that the list is very long, but I can identify the DN using "show user group list | match <group_name>".

However when I use the command "show user group name <group_name>" the result is always the same regardless of the group you are querying: User group 'group_name' does not exist or does not have members


you have not used the "Included Groups" option.

This will force the firewall to collect all information for every group within your AD.

The firewall has limits on how many groups it can access and although this may not be the issue here I would still only include the required groups that you actually need to interrogate. this will also help with future diagnostics when using multiple groups.


This will also allow you to use "show user group name"  and return valid entries.


snippet from PA




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!