Problem is you still have to add them on an individually named basis to the administrators list. Here's an example of trying to do it your way with a member of the group but not having the person explicity added as an administrator (auth.log dump): 2016-12-21 14:26:44.392 -0800 debug: pan_auth_request_process(pan_auth_state_engine.c:1639): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 1, body length 2156
2016-12-21 14:26:44.392 -0800 debug: pan_auth_request_process(pan_auth_state_engine.c:1662): Trying to authenticate: <profile: "", vsys: "", username "t-jgrote">
2016-12-21 14:26:44.392 -0800 debug: _get_auth_prof_detail(pan_auth_util.c:925): "t-jgrote" is an admin user
2016-12-21 14:26:44.409 -0800 Error: pan_auth_cache_get_admin_authprof(pan_auth_cache_adminusers.c:222): No default auth profile found for username t-jgrote
2016-12-21 14:26:44.409 -0800 Error: _get_admin_authentication_profile_by_name(pan_auth_util.c:501): No admin auth prof found with the name t-jgrote
2016-12-21 14:26:44.409 -0800 Error: _get_admin_authentication_profile(pan_auth_util.c:546): No auth prof/vsys is found for admin user "t-jgrote"
2016-12-21 14:26:44.409 -0800 Error: pan_get_authprofile_n_setting(pan_auth_util.c:1014): Failed to get authentication profile for admin t-jgrote
2016-12-21 14:26:44.409 -0800 Error: pan_set_admin_user_stat(pan_auth_admin_login_stat.c:246): Admin user "t-jgrote" home dir "/opt/pancfg/home/t-jgrote" has NOT created yet
2016-12-21 14:26:44.409 -0800 Error: pan_auth_send_auth_resp(pan_auth_server.c:389): pan_set_admin_user_stat("t-jgrote", False)
2016-12-21 14:26:44.409 -0800 failed authentication for user 't-jgrote'. vsys 'shared', From: <REDACTED>.
2016-12-21 14:26:44.409 -0800 debug: _log_auth_respone(pan_auth_server.c:243): Sent FAILED auth response for user 't-jgrote' (exp_in_days=-1 (-1 never; 0 within a day))
2016-12-21 14:26:44.409 -0800 Error: pan_auth_request_process(pan_auth_state_engine.c:1713): Failed to get authentication profile
2016-12-21 14:26:44.409 -0800 Error: _taskq_worker(pan_taskq.c:622): Error executing tasks process fn If I add him to administrators with the auth profile specified then it works fine. So that just filters who the profile applies to, but it appears they still have to be manually set up in "Administrators". I suppose if I have to I could automate the process with a periodic powershell script that gets the group members and then updates the administrators table via the API, but I'd rather this be "native" if possible. Looking for guidance, I can't imagine this is a terribly unusual request especially in larger organizations. EDIT: Also I'm looking to do this in Panorama, but if its doable at the individual PANOS level that is worth looking at.
... View more