I'm going to try my best to explain this.
I have a shared device group Panorama > Device Groups (photo) called "common"
It has no Master Device or Devices/Virtual System attached (highlighted last two columns).
We use this to create Rules on to push to the various systems listed underneath (Enterprise, 01-Enterprise and so on)
When creating those Rules on Panorama Policies tab > Post Rules > and I choose the Device Group "Commom" > Add (new rule) > User tab > Add a list of groups is available from the drop down (photo).
My issue is that I don't know where Source User is being populated from. I get how it happens when devices are assigned, but since there is no device assigned, I can't go to from Panorama Device > User ID > Template (drop down) choose "Commom" because Shared Templates aren't in the drop down > Group Mapping Settings > Add
But it's clearly getting populated somehow???
Hope that makes sense.
is it possible one of those firewalls at one time was assigned to the common group, panorama collected usergroups and then the firewall was moved into it's own sub-device group ?
> debug user-id clear group device-group common group all