: User-ID Best Practices for Group Mapping
Focus
Focus

User-ID Best Practices for Group Mapping

Table of Contents

User-ID Best Practices for Group Mapping

Learn best practices for connecting to directory servers and other sources of user information to create group mappings for use in security policy.
Defining policy rules based on user group membership rather than individual users simplifies administration because you don’t have to update the rules whenever group membership changes. The following best practices are recommended for configuring group mapping for Lightweight Directory Access Protocol (LDAP) deployments using Palo Alto Networks firewalls.

Plan User-ID Best Practices for Group Mapping Deployment

  • Identify your directory service (such as an on-premises Active Directory, a cloud-based Azure Active Directory, or an LDAP-based service such as OpenLDAP) and identify the topology for your directory servers. Some questions to consider are:
    • What are your primary sources for group information?
    • How many directory servers, data centers, and domain controllers are there?
    • Are the directories on-premises or cloud-based?
    • Where are the domain controllers located in relation to your directory servers?
    • Are the directory servers and domain controllers in different regions?
    • Which resources are local and which are regionalized?
  • For deployments where your primary source for group mappings is an Active Directory server:
    • If you have a single domain, you need only one group mapping configuration with an LDAP server profile that connects the firewall to the domain controller with the best connectivity. Add up to four domain controllers to the LDAP server profile for redundancy.
    • If you have Universal Groups, create an LDAP server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL, then create another LDAP server profile to connect to the root domain controllers using LDAPS on port 636. If you do not use TLS, use port 389. This helps ensure that users and group information is available for all domains and subdomains.
    • If you do not have Universal Groups and you have multiple domains or multiple forests, you must create a group mapping configuration with an LDAP server profile that connects the firewall to a domain server in each domain/forest. Take steps to ensure unique usernames in separate forests.
  • To create a custom group that is not already available in your LDAP Directory, use user attributes to create custom groups.
  • Determine what format (for example, email address, UPN, or sAMAccountName) to use for the Primary Username. The primary username identifies users in user-based security policy rules, logs, and reports. If your User-ID sources send usernames in different formats, specify those usernames as alternative attributes.
    Ensure that the primary username, alternative username, and email attribute are unique for each user.
  • Ensure that usernames and group attributes are unique for all users and groups within each domain.
  • Ensure the group mapping configurations do not contain overlapping groups if you create multiple group mapping configurations that use the same base distinguished name (DN) or LDAP server. For example, the Include list for one group mapping configuration cannot contain a group that is also in a different group mapping configuration.
  • Retrieve only the groups you will use in your group-based security policy and configuration by using the group include list or applying a custom search filter.
  • Evaluate how frequently groups change in your directories to determine the optimal Update Interval value for your Group Mapping profile. For example, if your groups change frequently, configure a smaller value but if they are usually static, enter a larger value.

Deploy Group Mapping Using Best Practices for User-ID

  • To access on-premises or cloud-based directory information for user identification and security policy enforcement, use the Cloud Identity Engine to simplify the retrieval of group mapping information from multiple sources, especially cloud-based directories.
  • If you’re using the same groups across virtual systems in your security policy, configure a virtual system as a hub to share group mappings across virtual systems. This allows you to configure one virtual system to provide the mappings to the other systems instead of configuring the mappings on each virtual system and maximizes the number of available mappings.
  • Use the Group Include List to limit policy rules to specific groups. Alternatively, filter the groups that the firewall tracks for group mapping by entering a Search Filter (LDAP query) and Object Class (group definition). If you don't have a group readily available in your LDAP Directory, you can use user attributes to create custom groups on the firewall. Ensure that attributes used to form custom groups are indexed attributes on the directory.
  • If you are using only custom groups from a directory, add an unused group to the Include List to prevent User-ID from retrieving all the groups from the directory.

Use Group Mapping Post-Deployment Best Practices for User-ID

  • To confirm connectivity to the LDAP server, use the show user group-mapping state all CLI command.
  • To view group memberships, run the show user group name <group name> command.
  • To ensure that the firewall can match users to the correct policy and have appropriate resource access, confirm that users that need policy-based access belong to the group assigned to the policy. To verify which groups you can currently use in policy rules, use the show user group CLI command.
  • If you make changes to group mapping, refresh the cache manually. To manually refresh the cache, run the debug user-id refresh group-mapping all command.