@ipohlschneider ,
Not using filters or the built-in group-include-list functionality isn't a problem as long as your platform(s) can sync the number of groups that you're requesting. So a PA-440 can only have 1,000 active groups used in policy, but a PA-5220 can have 10,000. If you only have hundreds of groups you shouldn't run into any issues even on the smallest platforms.
Nested groups will sync perfectly fine, but you need to insure that you're also syncing the membership of the nested group as well. So if I have a 'All-Devices' group as an example that has the nested 'All-Laptops', 'All-Desktops', and 'All-BYOD' as a simple example you need to sync the membership of those three nested groups to get things to function properly.
... View more