User-ID Group Mapping not working in a security policy
Showing results for 
Search instead for 
Did you mean: 

User-ID Group Mapping not working in a security policy

L2 Linker



I have searched and found similar posts but none seem to have a working solution for this...


I have a simple security policy to deny access to a VM located in the 'trust' zone if it matches a user in the user group created on the AD server.


I've confirmed with 'show user group name' that the firewall can indeed see the correct users in the group but when applying that group to the deny policy i'm not getting a hit.



any ideas?






Thanks for your help Mick

L2 Linker

If the domain format matches in IP mapping and Group mapping, then you can check the user's attributes. I would go through like this:


Does domain format(fqdn vs flat netbios) and username match under these two:

> show user group name <group dn>

> show user ip-user-mapping <all|ip x>


Do you see a mismatch with the Primary or Alt attributes (specifically domain fqdn vs netbios) compared with the previous commands?

> show user user-attributes user <>


Also check that you have a domain map shortening the fqdn to netbios:

> debug user-id dump domain-map



As per @dmifsud advice, here is my output for both group and ip mapping. They both have domain prefix. Can you post your results of the same commands.




Thanks... heres some output:

Ok some good info...

the user ip mapping ggrant does not have the domain prefix so using domain groups will not work.


this will work if you add the domain to the authentication profile, this is what i do for my ipads and domain authentication works fine.



View solution in original post

Holy moly it worked.


I added the domain in the auth profile and left the username modifier as the default.


I tried this yesterday but changed the modifier to %USERDOMAIN%/%USERINPUT% and it didn't work.


Thanks all for your help on this.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!