- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
Command user group name not working
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Command user group name not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Command user group name not working
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-16-2020 06:44 AM
Hi,
We just check that the command: show user group name 'cn=......' has this output:
user group xxxxx does not exist or does not have members. All config is OK.
If we run "show user group list", i can see al the groups, but filtering by one of them shows:
user group xxxxx does not exist or does not have members
show user ip-user-mapping all ---> OK
show user user-ids match-user xxxx ---> OK
Why is not showing users in groups?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-16-2020 06:53 AM
Is the group in your group-include-list? My first thought would be that you are trying to look at group membership for a group that the firewall isn't actively pulling, thus it doesn't know/care if anyone is in that group. Trying running the same command on something that you are actively included in your group-include-list and you should have all members listed.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-16-2020 07:02 AM - edited 04-16-2020 07:06 AM
Yes, group is included in the list. We tried to put all in list, just in case, but the result is the same. Its weird...
Its happening with all the groups in "show user group list".
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-16-2020 07:14 AM
Hmm that's really odd. I might try restarting the management plane just to see if that resolves the issue, otherwise I would open a support case about it.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-16-2020 09:23 AM
Probably teaching you to suck eggs here but have you copied and paste group name as syntax is essential here..
also.. do you have any special characters in the group name such as ampersand or comma...
do you get the expected output from show user group-mapping state all. Return the expected output.
do you only have permissions to see the groups but not the members.
is your group mapping correct.... ie- object for both group objects and user objects.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-16-2020 11:24 PM
Its happening for all groups using "show user group name xx" comand.
We have vsys and we also tried go in the vsys to tun the command.
The rest of the mapping commands are working fine.
About user permission, customer has more FWs with this bind ldap user and in the rest of fws are working fine this command.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-16-2020 07:55 AM
Did you ever figure this out as we seem to have the same issue and its affecting our VPN groups as its apparently the user isn't in the allowed auth list even though if you look at the user in the cli it will list the group but listing the group members in the cli comes up with a "user group does not exist or does not have members"
- Cannot log into firewall if authentication profile specifies an AD group instead of AD username in General Topics
- Master User-id device receives non-functioning configuration for userID Group Include list from Panorama in Panorama Discussions
- Can't access most of the websites after connecting to globalprotect VPN on Linux in GlobalProtect Discussions
- Global Protect PreLogon during Windows Autopilot with Intune in GlobalProtect Discussions
- Switch from Panorama Mode to Log Collector Mode Removes Logs? in Panorama Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
