Ran into an issue yesterday were we have an AD group name, let's call it PP&G, and the we tried to get the Palo to see the Group Mapping via Device > User Identification > Group Mapping Settings > Group Include List > Add and entered the CN name for the group.
Being the dedicated admin that I am, I then went to verify my work via command line on the Palo with the following command: show user group list
And it in fact saw the new group cn=pp&g, ou=blah and so on.
Not convinced, I then ran the command: show user group name "cn=pp&g, ou=blah" and what was returned was <response status="success"><result>User group 'cn=pp&g, ou=blah' does not exist or does not have members</result></response>
But a look in AD did in fact show users.
Troubleshooting steps included
Just waiting for a half hour or so to see if it picked it up.
debug user-id refresh group-mapping all
None of that fixed it. We then used another group without a funny symbol such as & and it worked almost instantly.
So the question is, have I found a bug or is this known by design?