Strata Copilot
    User-ID Best Practices
    : User-ID Best Practices for Group Mapping
    Focus
    Download PDF
    Focus
    1. Home
    2. Best Practices
    3. User-ID Best Practices
    4. User-ID Best Practices
    5. User-ID Best Practices for Group Mapping
    Download PDF

    User-ID Best Practices

    User-ID Best Practices for Group Mapping

    Table of Contents
    End-of-Life (EoL)

    User-ID Best Practices for Group Mapping

    Learn best practices for connecting to directory servers and other sources of user information to create group mappings for use in security policy.
    Defining policy rules based on user group membership rather than individual users simplifies administration because you don’t have to update the rules whenever group membership changes. The following best practices are recommended for Lightweight Directory Access Protocol (LDAP) deployments.
    The following sections describe best practices for deploying group mapping for on-premises directory services.

    Plan User-ID Best Practices for Group Mapping Deployment

    • Identify your directory service (such as Active Directory or an LDAP-based service such as OpenLDAP) and identify the topology for your directory servers. Some questions to consider are:
      • How many directory servers, data centers, and domain controllers are there?
      • What are your primary sources for group information?
      • Where are the domain controllers located in relation to your directory servers?
      • Are the directory servers and domain controllers in different regions?
      • Which resources are local and which are regionalized?
    • For deployments where your primary source for group mappings is an Active Directory server:
      • If you have a single domain, you need only one group mapping configuration with an LDAP server profile that connects the firewall to the domain controller with the best connectivity. Add up to four domain controllers to the LDAP server profile for redundancy.
      • If you have Universal Groups, create an LDAP server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL, then create another LDAP server profile to connect to the root domain controllers using LDAPS on port 636. If you do not use TLS, use port 389. This helps ensure that users and group information is available for all domains and subdomains.
      • If you do not have Universal Groups and you have multiple domains or multiple forests, you must create a group mapping configuration with an LDAP server profile that connects the firewall to a domain server in each domain/forest. Take steps to ensure unique usernames in separate forests.
      • Before using group mapping, configure a Primary Username for user-based security policies, because this attribute identifies users in the policy configuration, logs, and reports.
    • To create a custom group that is not already available in your LDAP Directory, use user attributes to create custom groups.
    • Ensure the group mapping configurations do not contain overlapping groups if you create multiple group mapping configurations that use the same base distinguished name (DN) or LDAP server. For example, the Include list for one group mapping configuration cannot contain a group that is also in a different group mapping configuration.
    • Ensure that usernames and group attributes are unique for all users and groups within each domain.
    • Retrieve only the groups you will use in your security policy and configuration by using the group include list or applying a custom search filter.
    • Evaluate how frequently groups change in your directories to determine the Update Interval value for your Group Mapping profile.
    • Determine the username attribute that you want to represent users in the logs, reports, and in policy configuration. If your User-ID sources send usernames in different formats, specify those usernames as alternative attributes.
      Ensure that the primary username, alternative username, and email attribute are unique for each user.

    Deploy Group Mapping Using Best Practices for User-ID

    • If you are using only custom groups from a directory, add an unused group to the Include List to prevent User-ID from retrieving all the groups from directory.
    • Specify the Update Interval (in seconds) based on how frequently groups change in your directories.
    • Use the Group Include List to limit policy rules to specific groups. Alternatively, filter the groups that the firewall tracks for group mapping by entering a Search Filter (LDAP query) and Object Class (group definition). If you don't have a group readily available in your LDAP Directory, you can use user attributes to create custom groups on the firewall. Ensure that attributes used to form custom groups are indexed attributes on the directory.
    • Specify the Primary Username that will identify users in reports and logs.

    Use Group Mapping Post-Deployment Best Practices for User-ID

    • To confirm connectivity to the LDAP server, use the show user group-mapping state all CLI command.
    • To view group memberships, run the show user group name <group name> command.
    • Confirm the user exists in a group before using that group in your security policy. To verify which groups you can currently use in policies, use the show user group CLI command.
    • If you make changes to group mapping, refresh the cache manually. To manually refresh the cache, run the debug user-id refresh group-mapping all command.

    © 2026 Palo Alto Networks, Inc. All rights reserved.