Hi, I'm setting up GlobalProtect, which works just fine. Now I want to restrict GlobalProtect access to only 1 AD group. I created a separate GP authentication profile with my ssl_vpn AD group in the allow list, but as soon as I commit that allow list, not a single user can log in to the GlobalProtect anymore. Is this the correct way to configure this? I also tried configuring the AD group as source user on the GlobalProtect portal definition, but that didn't help either. I'm suspecting that there is a problem with the retrieval of the groups and the group membership from the AD server. We added the AD group to the AD after configuring the AD server definition in the PAN firewall, after which we couldn't see it in the web interface listed in the available AD groups. However, in CLI the "show user group-mapping state <domain>" showed the group, so it seemed to be retrieved by the PAN. We configured the GlobalProtect settings via CLI, since the group was not visible in the web interface. Could this be related? Any other way to get more information about the available groups on the device? Edit: PA-2050 cluster, running 4.1.0, group mapping is configured on the firewall.
... View more