Want to create a security policy based on domain user group.

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Want to create a security policy based on domain user group.

L1 Bithead

Hi, I would like to set up a security policy based on a group a user belongs to on my AD. I've set up the LDAP, and USER ID client on the server, but when I go to create the security rule, nothing shows up in the add box for the user. Even if I click the drop down, or start to type the domain/username info. I'm thinking I missed a step, or something. Can anyone recommend somethings I should check, or point me in the direction of some good documents?


1 accepted solution

Accepted Solutions

L1 Bithead

Got it working... The problem was the PAN box was set to Proxy the groups from the agent to the Box. Support went in and turned off the proxy, and all the groups showed up... Thanks for everyone's help and advice.


View solution in original post


L6 Presenter

Here is a document that explains how to configure User-ID agent and the LDAP server group mappings.


If you have all the configuration set according to the document. I would ask you to check whether the firewall is actually pulling the user-groups information. This can be verified with the command " show user group-mapping state all" . If you are able to see all the groups information in the output then the group mapping is working properly. So you might want to try using different browsers to create security rules and see if it helps.


Sandeep T

L5 Sessionator

If the firewall isn't showing User Info:

Verify if the Agent is  the User-Mapping :

CLI command to verify User-IP Mapping (Done by User-Id Agent)

>show user ip-user-mapping

If you see this command not showing IP-User Mapping :

Check if the Agent is connected also verify if you see Discovered Users on the Agent (Monitor).


User Identification Initial Setup


If IP-User Mapping is being done as expected verify LDAP config for User-Group Mapping

CLI command to verify User-Group Mapping (Done by Firewall via LDAP)

Enlists Users in the group (Included Groups in LDAP/All if No Included Groups configured)

>show user group name <value>

User Identification Tech Note PAN-OS 4.1



L6 Presenter

You can also try resetting the user-id manager with the command "debug user-id reset user-id manager type all" and also "debug software restart user-id" from the cli

Sandeep T

L1 Bithead

Hi Guys,

Thanks for the suggestions and help.

Looks like my PAN box is mapping users to IP's.

Here is what I see what I run show user ip-user-mapping:

IP              Ident. By User                             Idle Timeout (s) Max. Timeout (s)

--------------- --------- -------------------------------- ---------------- ----------------     AD        in\amorse                        3499             3499  AD        in\kwoodward                     3499             3499  AD        in\bucstudent                    3499             3499

When I run: show user group list

I don't get anything back. I'm thinking this is where the problem is.

This looks odd to me too:

show user group-mapping state all

Group Mapping(vsys1, type: active-directory): test

        Bind DN    : PANBOX@IN.SCU.K12.CA.US

        Base       : DC=in,DC=scu,DC=k12,DC=ca,DC=us

        Group Filter: (None)

        User Filter: (None)

        Servers    : configured 1 servers


        Proxy state: QUERY_SENT (no result back from agent)

        Query agent: ADMASTER2

        Result from:

                Last Action Time: (Never)

                Next Action Time: In 2 secs

        Number of Groups: 0

Thanks again for everyone's support! Can't wait to get this going!



From the output, the agent has not responded back to the firewall with the groups. Make sure the agent and firewall have connectivity and the agent can reach the DC to pull groups. Can you try to bypass the agent and pull the groups directly from DC?




I got the same errors like You.

In my situation problem was in Device >  User Identyfication> Group Mapping Settigs > Group Include list - if you click on "+" you should see yor groups. I got error insted list of group.

To fix it go to Server Profiles > LDAP - server should be reached at 389 port according to



Not applicable

When you go to Device->Authentication Profile->(open profile up)->Login Attribute

What value is listed there?  Mine was blank, and when I put in the value "sAMAccountName" everything started to work like magic.  Does that help?

If you've already got that part working - have you looked at your Group Include List?

Device->User Identification->Group Mapping Settings->Group Include List (tab)

Expand your domain and then find the groups you want - then add them to the list... you can use these in your security policies if they are listed here.  Does that help?

L1 Bithead

Got it working... The problem was the PAN box was set to Proxy the groups from the agent to the Box. Support went in and turned off the proxy, and all the groups showed up... Thanks for everyone's help and advice.


  • 1 accepted solution
  • 9 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!