I have a User-Id configuration that has been working successfully for 6 months. I went to add a new group to the group include list, and the syntax that was written from Panorama had JUST the group name in this form :domain\group_name. The working groups as listed by running the 'show config merged | match group-include-list' all have a syntax similar to this: [cn=group_name, ou=users and groups, ou=yyy, dc=my_domain, dc=com] etc etc . the FW does not recognize the new group, and cannot retrieve any of the users, so it is non-functional. the previously working groups still work.
FYI: the groups show up correctly when I browse the dialog in Panorama - but none of them, even the working ones, display the cn-ou-dc parameters.
Thank you for the post @ClaytonHuml
if you want to add a new AD group into include list from Panorama, you have to configure AD group with whole LDAP string. Here is corresponding KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIOCA0
After this is pushed to managed Firewall, you will see AD group in this format: domain\group_name on Firewall side.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!