Learn best practices for connecting to directory servers
and other sources of user information to create group mappings for
use in security policy.
Defining policy rules based on user group
membership rather than individual users simplifies administration
because you don’t have to update the rules whenever group membership
changes. The following best practices are recommended for configuring group mapping for Lightweight
Directory Access Protocol (LDAP) deployments using Palo Alto Networks
Plan User-ID Best Practices for Group Mapping Deployment
directory service (such as an on-premises Active Directory, a cloud-based
Azure Active Directory, or an LDAP-based service such as OpenLDAP)
and identify the topology for your directory servers. Some questions
to consider are:
What are your
primary sources for group information?
How many directory servers, data centers, and domain controllers
Are the directories on-premises or cloud-based?
Where are the domain controllers located in relation to your
Are the directory servers and domain controllers in different
Which resources are local and which are regionalized?
For deployments where your primary source for group mappings
is an Active Directory server:
you have a single domain, you need only one group mapping configuration
with an LDAP server profile that connects the firewall to the domain
controller with the best connectivity. Add up to four domain controllers
to the LDAP server profile for redundancy.
If you have Universal Groups, create an LDAP server profile
to connect to the root domain of the Global Catalog server on port
3268 or 3269 for SSL, then create another LDAP server profile to
connect to the root domain controllers using LDAPS on port 636.
If you do not use TLS, use port 389. This helps ensure that users
and group information is available for all domains and subdomains.
If you do not have Universal Groups and you have multiple domains
or multiple forests, you must create a group mapping configuration
with an LDAP server profile that connects the firewall to a domain server
in each domain/forest. Take steps to ensure unique usernames in
To create a custom group that is not already available in your
LDAP Directory, use user attributes to create custom groups.
Determine what format (for example, email address, UPN, or sAMAccountName)
to use for the
. The primary username identifies
users in user-based security policy rules, logs, and reports. If
your User-ID sources send usernames in different formats, specify those
usernames as alternative attributes.
Ensure that the primary
username, alternative username, and email attribute are unique for
Ensure that usernames and group attributes are unique for all
users and groups within each domain.
Ensure the group mapping configurations do not contain overlapping
groups if you create multiple group mapping configurations that
use the same base distinguished name (DN) or LDAP server. For example,
the Include list for one group mapping configuration cannot contain
a group that is also in a different group mapping configuration.
Retrieve only the groups you will use in your group-based security policy and
configuration by using the group include list or applying a custom
Evaluate how frequently groups change in your directories to
determine the optimal
for your Group Mapping profile. For example, if your groups change
frequently, configure a smaller value but if they are usually static,
enter a larger value.
Deploy Group Mapping Using Best Practices for User-ID
To access on-premises
or cloud-based directory information for user identification and
security policy enforcement, use the Cloud Identity Engine to
simplify the retrieval of group mapping information from multiple
sources, especially cloud-based directories.
If you’re using the same groups across virtual systems in your
security policy, configure a virtual system
as a hub to share group mappings across virtual systems. This allows
you to configure one virtual system to provide the mappings to the
other systems instead of configuring the mappings on each virtual system
and maximizes the number of available mappings.
Group Include List
to limit policy
rules to specific groups. Alternatively, filter the groups that
the firewall tracks for group mapping by entering a
(LDAP query) and
definition). If you don't have a group readily available in your
LDAP Directory, you can use user attributes to create custom groups
on the firewall. Ensure that attributes used to form custom groups
are indexed attributes on the directory.
If you are using only custom groups from a directory, add an
unused group to the Include List to prevent User-ID from retrieving
all the groups from the directory.
Use Group Mapping Post-Deployment Best Practices for User-ID
To confirm connectivity
to the LDAP server, use the
show user group-mapping state
To view group memberships, run the
show user group
name <group name>
To ensure that the firewall can match users to the correct policy
and have appropriate resource access, confirm that users that need
policy-based access belong to the group assigned to the policy.
To verify which groups you can currently use in policy rules, use
show user group
If you make changes to group mapping, refresh the cache manually.
To manually refresh the cache, run the