To create a dynamic user group, select ObjectsDynamic User Groups, Add a
new dynamic user group and then configure the following settings:
Dynamic User Group
Settings
Description
Name
Enter a Name that
describes the dynamic user group (up to 63 characters). This name
appears in the source user list when defining Security policy rules.
The name must be unique and use only alphanumeric characters, spaces,
hyphens, and underscores.
Description
Enter a Description for
the object (up to 1,023 characters).
Shared
(Panorama only)
Select this option if you want the match
criteria of the dynamic user group to be available to every device
group on Panorama.
Panorama does not share the members of
the group with device groups.
If you clear this option, the
match criteria of the dynamic user group are available only to the Device Group selected
in the Objects tab.
Disable override
(Panorama only)
Select this option to prevent administrators
from overriding the settings of this dynamic user group in device
groups that inherit the object. This selection is cleared by default,
which means administrators can override the settings for any device
group that inherits the object.
Match
Add Match Criteria to define the members in the dynamic user group using
the AND or OR
operators to include multiple tags. Negation is not supported.
When you Add Match Criteria,
only existing tags display. You can select an existing tag or create
new tags.
Tags
(Optional) Select or enter the
static object tags that you want to apply to the dynamic user group
object. This tags the dynamic user group object itself, not the
members in the group. The tags you select allow you to group related items and are
not related to the match criteria. For information on tags, see Objects > Tags.
After you add a dynamic user group, you can view the following
information for the group:
Dynamic User Groups Column
Description
Location
(Panorama only)
Identifies whether the match criteria for
the dynamic user group is available to every device group on Panorama (Shared)
or to the selected device group.
Users
Select more to see
the list of users in the dynamic user group.
To add
tags to users for inclusion in the group, Register Users,
then select the Registration Source and the Tags you
want to apply to the user. When the user’s tags match the criteria
for the group, the firewall adds the user to the dynamic user group.
(Optional) Specify a Timeout in
minutes (default is 0; range is 0 to 43,200) to remove users from
the group when the specified time expires.
(Optional) AddUsers to
the group or Delete users from the group.
To remove tags from users and prevent them from becoming members
of the group, select the users, and Unregister Users,
and then select Registration Source and Tags.
When done reviewing or modifying the dynamic user group list
of users, click Close.
