Focus

Network Security

Cloud Managed

Table of Contents

Cloud Managed

Learn how to configure dynamic user groups and use them for policy enforcement.

Select

Manage

NGFW and Prisma Access

Objects

Dynamic User Groups

and

Add Dynamic User Group

Define the membership of the dynamic user group.

Enter a

Name

for the group.

(Optional) Enter a

Description

for the group.

Add

Match Criteria

using dynamic tags to define the members in the dynamic user group.

(Optional) Use the

AND

operators with the tag(s) that you want to use to filter for or match against. Negation is not supported.

(Optional) Select the

Tags

column in the

Dynamic User Group

list and defines the dynamic group object, not the members in the group.

Select

Save

and

Push Config

to commit and push your changes.

If you update the user group object filter, you must commit the changes to update the configuration.

Depending on the log information that you want to use as match criteria, configure auto-tagging by creating a log forwarding profile or configuring the log settings.

For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile.

For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.

(Optional) To return dynamic user group members to their original groups after a specific duration of time, enter a

Timeout

value in minutes (default is 0, range is 0-4320).

Use the dynamic user group in a policy to regulate traffic for the members of the group.

You will need to create at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent. To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic.

Select the dynamic user group from Step 1 as the

Source User

Create the rule where the

Action

denies traffic to the dynamic user group members.

Create the rule that allows the traffic to populate the dynamic user group members.

If you configured a

Log Forwarding

profile in Step 3, select it to add it to the policy.

Commit

your changes.

(Optional) Refine the group’s membership and define the registration source for the user-to-tag mapping updates.

If the initial user-to-tag mapping retrieves users who should not be members or if it does not include users who should be, modify the members of the group to include the users for whom you want to enforce the policy and specify the source for the mappings.

In the

Users

column, select

to add them to the group and select the

Registration Source

for the tags and user-to-tag mappings.

Local

(Default)—Register the tags and mappings for the dynamic user group members locally on your device.

Panorama User-ID Agent

—Register the tags and mappings for the dynamic user group members on a User-ID agent connected to Panorama. If the dynamic user group originates from Panorama, the row displays in yellow and the group name, description, match criteria, and tags are read-only. However, you can still register or unregister users from the group.

Remote device User-ID Agent

—Register the tags and mappings for the dynamic user group members on a remote User-ID agent. To select this option, you must first configure an HTTP server profile.

Select the

Network Security Docs

Cloud Managed

Network Security Docs

Cloud Managed

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring