User-ID Best Practices for Group Mapping
Expand all | Collapse all
End-of-Life (EoL)
User-ID Best Practices for Group Mapping
Learn best practices for connecting to directory servers
and other sources of user information to create group mappings for
use in security policy.
Defining policy rules based on user group
membership rather than individual users simplifies administration
because you don’t have to update the rules whenever group membership
changes. The following best practices are recommended for Lightweight
Directory Access Protocol (LDAP) deployments.
The following
sections describe best practices for deploying group mapping for
on-premises directory services.
Plan User-ID Best Practices for Group Mapping Deployment
Identify your
directory service (such as Active Directory or an LDAP-based service
such as OpenLDAP) and identify the topology for your directory servers. Some
questions to consider are:
How
many directory servers, data centers, and domain controllers are
there?
What are your primary sources for group information?
Where are the domain controllers located in relation to your
directory servers?
Are the directory servers and domain controllers in different
regions?
Which resources are local and which are regionalized?
For deployments where your primary source for group mappings
is an Active Directory server:
If
you have a single domain, you need only one group mapping configuration
with an LDAP server profile that connects the firewall to the domain
controller with the best connectivity. Add up to four domain controllers
to the LDAP server profile for redundancy.
If you have Universal Groups, create an LDAP server profile
to connect to the root domain of the Global Catalog server on port
3268 or 3269 for SSL, then create another LDAP server profile to
connect to the root domain controllers using LDAPS on port 636.
If you do not use TLS, use port 389. This helps ensure that users
and group information is available for all domains and subdomains.
If you do not have Universal Groups and you have multiple domains
or multiple forests, you must create a group mapping configuration
with an LDAP server profile that connects the firewall to a domain
server in each domain/forest. Take steps to ensure unique usernames
in separate forests.
Before using group mapping, configure a Primary Username for
user-based security policies, because this attribute identifies
users in the policy configuration, logs, and reports.
To create a custom group that is not already available in your
LDAP Directory, use user attributes to create custom groups.
Ensure the group mapping configurations do not contain overlapping
groups if you create multiple group mapping configurations that
use the same base distinguished name (DN) or LDAP server. For example,
the Include list for one group mapping configuration cannot contain
a group that is also in a different group mapping configuration.
Ensure that usernames and group attributes are unique for all
users and groups within each domain.
Retrieve only the groups you will use in your security policy
and configuration by using the group include list or applying a
custom search filter.
Evaluate how frequently groups change in your directories to
determine the Update Interval value for your Group Mapping profile.
Determine the username attribute that you want to represent
users in the logs, reports, and in policy configuration. If your
User-ID sources send usernames in different formats, specify those
usernames as alternative attributes.
Ensure that the primary
username, alternative username, and email attribute are unique for
each user.
Deploy Group Mapping Using Best Practices for User-ID
If you are using
only custom groups from a directory, add an unused group to the
Include List to prevent User-ID from retrieving all the groups from directory.
Specify the
Update Interval
(in seconds)
based on how frequently groups change in your directories.
Use the
Group Include List
to limit policy
rules to specific groups. Alternatively, filter the groups that
the firewall tracks for group mapping by entering a
Search
Filter
(LDAP query) and
Object Class
(group
definition). If you don't have a group readily available in your
LDAP Directory, you can use user attributes to create custom groups
on the firewall. Ensure that attributes used to form custom groups
are indexed attributes on the directory.
Specify the Primary Username that will identify users in reports
and logs.
Use Group Mapping Post-Deployment Best Practices for User-ID
To confirm connectivity
to the LDAP server, use the
show user group-mapping state
all
CLI command.
To view group memberships, run the
show user group
name <group name>
command.
Confirm the user exists in a group before using that group in
your security policy. To verify which groups you can currently use
in policies, use the
show user group
CLI command.
If you make changes to group mapping, refresh the cache manually.
To manually refresh the cache, run the
debug user-id refresh
group-mapping all
command.