Ran into an issue yesterday were we have an AD group name, let's call it PP&G, and the we tried to get the Palo to see the Group Mapping via Device > User Identification > Group Mapping Settings > Group Include List > Add and entered the CN name for the group.
Being the dedicated admin that I am, I then went to verify my work via command line on the Palo with the following command: show user group list
And it in fact saw the new group cn=pp&g, ou=blah and so on.
Not convinced, I then ran the command: show user group name "cn=pp&g, ou=blah" and what was returned was <response status="success"><result>User group 'cn=pp&g, ou=blah' does not exist or does not have members</result></response>
But a look in AD did in fact show users.
Troubleshooting steps included
Just waiting for a half hour or so to see if it picked it up.
debug user-id refresh group-mapping all
None of that fixed it. We then used another group without a funny symbol such as & and it worked almost instantly.
So the question is, have I found a bug or is this known by design?
It took me a day and a half to convince the tech that I did have an issue, but he now thinks it's a bug and is escalating.
Opened a case, I'll let you all know.
Did you manually type the cn? Are you unable to browse the LDAP structure to find the group? If it doesn't show up but others do, you may have found a bug :)