Unable to assign Security Policy to Users or Groups

L3 Networker

Unable to assign Security Policy to Users or Groups

Hi -

We are using User-ID Agents to create user-to-IP mappings and I've got group mapping configured on the firewall itself and I can browse through my ldap groups.  However, when I go to Policies > Security Policy I am unable to select either individual users OR groups to assign the policy to... Nothing populates.  Am I missing something somewhere?  Seems like it would be straight forward after configuring group mapping.  Thanks!

L6 Presenter

what's the output for the following?

admin@PA-200> show user group-mapping state all

L6 Presenter

what panos version are you using ?

if you configured user id,ldap and group mapping.and also enabled user-id on a zone

you should see users on monitor tab traffic logs.

if everythins is ok and you can't see user/group on security rule

reboot the device if you can, you'll see groups and users on security rule after that.

L3 Networker

admin@UTM21-LAB-2-B(active)> show user group-mapping state all

<response status="success"><result>
Group Mapping(vsys1, type: active-directory): Group_Mapping (job 749073)
        Bind DN    : cn=ldap-alt-paloalto,ou=users,o=alticor
        Base       : ou=groups,o=alticor
        Group Filter: (&(objectCategory=Group)(objectClass=group))
        User Filter: (&(objectCategory=person)(objectClass=user))
        Servers    : configured 1 servers
        Proxy state: QUERY_SENT
        Query agent: usnx282
        Result from: usnx282
                Last Action Time: 326 secs ago(took 6 secs)
                Next Action Time: Now (started 156 secs ago)
                Query Local Group Mapping Service:
                        Last Action Time: 326 secs ago(took 6 secs)
                        Next Action Time: Now (started 156 secs ago)
        Number of Groups: 0

L6 Presenter

I don't see any groups being pulled. If you're not filtering groups, we should be able to pull all groups in your AD as shown below.

Group Mapping(vsys1, type: active-directory): amb

        Bind DN    : renato@amb.local

        Base       : DC=amb,DC=local

        Group Filter: (None)

        User Filter: (None)

        Servers    : configured 1 servers


                        Last Action Time: 1 secs ago(took 0 secs)

                        Next Action Time: In 3599 secs

        Number of Groups: 42


        cn=domain controllers,cn=users,dc=amb,dc=local

        cn=remote desktop users,cn=builtin,dc=amb,dc=local

        cn=distributed com users,cn=builtin,dc=amb,dc=local

        cn=incoming forest trust builders,cn=builtin,dc=amb,dc=local

        cn=certificate service dcom access,cn=builtin,dc=amb,dc=local

What does the ldap server profile look like? Grep after the output is displayed on your ssh terminal with the following: "/ldap" and "/group-mapping"

admin@PA-200> show config running

     ldap {

        amb {

          server {

            amb {

              port 389;




          ldap-type active-directory;

          base DC=amb,DC=local;

          bind-dn renato@amb.local;

          timelimit 30;

          bind-timelimit 30;

          bind-password -

          ssl no;

          domain amb;

  group-mapping {

            amb {

              group-object group;

              group-name name;

              group-member member;

              user-object person;

              user-name sAMAccountName;

              disabled no;

              server-profile amb;

L7 Applicator

As pointed out in the previous comment, there are no groups being pulled.

Looks like you are using the userID agent for "LDAP Proxy" to query for groups. Does the management interface of the firewall have connectivity to the domain controllers? If so, can you please try to uncheck the "LDAP proxy" checkbox on the userID agent (Device>User identification>User ID agents) and see if groups get pulled?

L6 Presenter

can you see groups on group mapping tab or not ?

L3 Networker

rkalugdan I have to apologize - I'm not familiar with running the grep command from the CLI.  Can you provide the syntax?  I'm on 5.0.4

L3 Networker

Yes, I can see groups on the group mapping tab.

L3 Networker

I initially had the Use LDAP Proxy box unchecked.  I checked it as a way to try to resolve this issue.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!