GlobalProtect and AD group restriction

Showing results for 
Search instead for 
Did you mean: 

GlobalProtect and AD group restriction

Not applicable


I'm setting up GlobalProtect, which works just fine.  Now I want to restrict GlobalProtect access to only 1 AD group.  I created a separate GP authentication profile with my ssl_vpn AD group in the allow list, but as soon as I commit that allow list, not a single user can log in to the GlobalProtect anymore.

Is this the correct way to configure this?  I also tried configuring the AD group as source user on the GlobalProtect portal definition, but that didn't help either.

I'm suspecting that there is a problem with the retrieval of the groups and the group membership from the AD server.  We added the AD group to the AD after configuring the AD server definition in the PAN firewall, after which we couldn't see it in the web interface listed in the available AD groups.  However, in CLI the "show user group-mapping state <domain>" showed the group, so it seemed to be retrieved by the PAN.  We configured the GlobalProtect settings via CLI, since the group was not visible in the web interface.

Could this be related?  Any other way to get more information about the available groups on the device?

Edit: PA-2050 cluster, running 4.1.0, group mapping is configured on the firewall.


Accepted Solutions

L1 Bithead

i found another post with the answer. You need to fill the domain under ldap server profile.

View solution in original post


Not applicable

I am having a similar issue.

PA guys, any hints? Is this a bug in 4.1?

Same issue exists here..

L1 Bithead

bump.. trying to figure this out as well. two years later and documentation to complete such simple task is horrible.

Hello Tmasuda,

I believe there was a bug regarding this issue but it has since been fixed.

You can try to restrict access to a specific group by going to Global Protect Portal > Client Configuration > User/User Group, find the desired group to which you want to grant access for that specific configuration profile. The image below illustrates the path:


I have tested successfully in PanOS 5.0.1 and 5.0.3.

Hope it helps.

L1 Bithead

i found another post with the answer. You need to fill the domain under ldap server profile.

Thanks for this but I doubt this is the best practice. Personally I've configured an authentication sequence like PA recommended. First Kerberos, then Radius and then local. So I'd assume I should be able to retrieve a user/group list from Kerberos (and Radius) to specify the allow list there, not in the GP Portal config. Else, if Kerberos fails, wouldn't users authenticate with Radius and get access anyway? Or is it most restrictive, e.g.. if Kerberos fails it won't allow access? Then there's no proper auth sequence.

According to PAN, an authentication sequence is NOT recommended because of the reasons described earlier. It needs to be consistent so just one auth server should be chosen. One thing that confused me is that authentication and authorization appear to be the same in a PAN context: if you can't authenticate yuou are not authorized either. When you are authenticated, you are authorized too. In other words, all is done in the authentication section, there's no separate section for authorization in PANOS5.

is there a way to restrict users even installing GlobalProtect unless they are on a domain joined computer - ie. stopping users from installing it on their home computers ?

You could use AD to install domain certificates on your own assets.  Then use the presence of the valid certificate as a second factor in the Global protect authorization.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!