User-ID Best Practices for Group Mapping

Learn best practices for connecting to directory servers and other sources of user information to create group mappings for use in security policy.
Defining policy rules based on user group membership rather than individual users simplifies administration because you don’t have to update the rules whenever group membership changes. The following best practices are recommended for configuring group mapping for Lightweight Directory Access Protocol (LDAP) deployments.
The following sections describe best practices for deploying group mapping for on-premises directory services.

Plan User-ID Best Practices for Group Mapping Deployment

  • Identify your directory service (such as Active Directory or an LDAP-based service such as OpenLDAP) and identify the topology for your directory servers. Some questions to consider are:
    • How many directory servers, data centers, and domain controllers are there?
    • What are your primary sources for group information?
    • Where are the domain controllers located in relation to your directory servers?
    • Are the directory servers and domain controllers in different regions?
    • Which resources are local and which are regionalized?
  • For deployments where your primary source for group mappings is an Active Directory server:
    • If you have a single domain, you need only one group mapping configuration with an LDAP server profile that connects the firewall to the domain controller with the best connectivity. Add up to four domain controllers to the LDAP server profile for redundancy.
    • If you have Universal Groups, create an LDAP server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL, then create another LDAP server profile to connect to the root domain controllers using LDAPS on port 636. If you do not use TLS, use port 389. This helps ensure that users and group information is available for all domains and subdomains.
    • If you do not have Universal Groups and you have multiple domains or multiple forests, you must create a group mapping configuration with an LDAP server profile that connects the firewall to a domain server in each domain/forest. Take steps to ensure unique usernames in separate forests.
    • Before using group mapping, configure a Primary Username for user-based security policy rules, because this attribute identifies users in the policy configuration, logs, and reports.
  • To create a custom group that is not already available in your LDAP Directory, use user attributes to create custom groups.
  • Ensure the group mapping configurations do not contain overlapping groups if you create multiple group mapping configurations that use the same base distinguished name (DN) or LDAP server. For example, the Include list for one group mapping configuration cannot contain a group that is also in a different group mapping configuration.
  • Ensure that usernames and group attributes are unique for all users and groups within each domain.
  • Retrieve only the groups you will use in your group-based security policy and configuration by using the group include list or applying a custom search filter.
  • Evaluate how frequently groups change in your directories to determine the optimal
    Update Interval
    value for your Group Mapping profile. For example, if your groups change frequently, configure a smaller value but if they are usually static, enter a larger value.
  • Determine the username attribute that you want to represent users in the logs, reports, and in policy configuration. If your User-ID sources send usernames in different formats, specify those usernames as alternative attributes.
    Ensure that the primary username, alternative username, and email attribute are unique for each user.

Deploy Group Mapping Using Best Practices for User-ID

  • Use the
    Group Include List
    to limit policy rules to specific groups. Alternatively, filter the groups that the firewall tracks for group mapping by entering a
    Search Filter
    (LDAP query) and
    Object Class
    (group definition). If you don't have a group readily available in your LDAP Directory, you can use user attributes to create custom groups on the firewall. Ensure that attributes used to form custom groups are indexed attributes on the directory.
  • If you are using only custom groups from a directory, add an unused group to the Include List to prevent User-ID from retrieving all the groups from the directory.
  • Specify the Primary Username that identifies users in reports and logs.

Use Group Mapping Post-Deployment Best Practices for User-ID

  • To confirm connectivity to the LDAP server, use the
    show user group-mapping state all
    CLI command.
  • To view group memberships, run the
    show user group name <group name>
  • To ensure that the firewall can match users to the correct policy and have appropriate resource access, confirm that users that need policy-based access belong to the group assigned to the policy. To verify which groups you can currently use in policy rules, use the
    show user group
    CLI command.
  • If you make changes to group mapping, refresh the cache manually. To manually refresh the cache, run the
    debug user-id refresh group-mapping all

Recommended For You