I can't answer regarding the App Group vs App Filters performance impact however from a management perspective App Filters are a lot easier for an admin to maintain as new applications are automatically added to the filters whenever a dynamic update occurs. With regards to User ID, it's best practice to only include groups that you will use on the PAN device to control traffic. If you are on 4.1 or higher you can additionally reduce the amount of data that the LDAP server returns to the PAN device for the group mappings by applying search filters to your Group Mappings. This can be made easier by creating some specific groups on your LDAP server with an appended label to the group (ie. PAN-Marketing, PAN-Sales, PAN-Technical, PAN-Directors), and make your LDAP groups a member of those groups and then apply a group filter of "PAN" to your Group Mappings. This will only pull across the groups with the PAN label and the members of those groups.
... View more