Map Users to Groups
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 9.1 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Configure Banners, Message of the Day, and Logos
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
-
- Apply Tags to an Application Filter
- Create Custom Application Tags
- Workflow to Best Incorporate New and Modified App-IDs
- See the New and Modified App-IDs in a Content Release
- See How New and Modified App-IDs Impact Your Security Policy
- Ensure Critical New App-IDs are Allowed
- Monitor New App-IDs
- Disable and Enable App-IDs
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions
- Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
- Set Up File Blocking
- Prevent Brute Force Attacks
- Customize the Action and Trigger Conditions for a Brute Force Signature
- Enable Evasion Signatures
- Monitor Blocked IP Addresses
- Threat Signature Categories
- Create Threat Exceptions
- Custom Signatures
- Threat Prevention Resources
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Decryption Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- High Availability Support for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
-
- How Decryption Broker Works
- Layer 3 Security Chain Guidelines
- Configure Decryption Broker with One or More Layer 3 Security Chain
- Transparent Bridge Security Chain Guidelines
- Configure Decryption Broker with a Single Transparent Bridge Security Chain
- Configure Decryption Broker with Multiple Transparent Bridge Security Chains
- Activate Free Licenses for Decryption Features
-
- About Palo Alto Networks URL Filtering Solution
- How Advanced URL Filtering Works
- URL Filtering Use Cases
- Plan Your URL Filtering Deployment
- URL Filtering Best Practices
- Activate The Advanced URL Filtering Subscription
- Configure URL Filtering
- Test URL Filtering Configuration
- Log Only the Page a User Visits
- Create a Custom URL Category
- URL Category Exceptions
- Use an External Dynamic List in a URL Filtering Profile
- Allow Password Access to Certain Sites
- URL Filtering Response Pages
- Customize the URL Filtering Response Pages
- HTTP Header Logging
- Request to Change the Category for a URL
-
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Use Interface Management Profiles to Restrict Access
- Virtual Routers
- Service Routes
- RIP
- Route Redistribution
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
End-of-Life (EoL)
Map Users to Groups
Defining policy rules based on user group
membership rather than individual users simplifies administration
because you don’t have to update the rules whenever group membership
changes. The number of distinct user groups that each firewall or
Panorama can reference across all policies varies by model. For
more information, refer to the Compatibility Matrix.
Use
the following procedure to enable the firewall to connect to your
LDAP directory and retrieve Group
Mapping information. You can then Enable
User- and Group-Based Policy.
The
following are best practices for group mapping in an Active Directory
(AD) environment:
- If you have a single domain, you need only one group mapping configuration with an LDAP server profile that connects the firewall to the domain controller with the best connectivity. You can add up to four domain controllers to the LDAP server profile for redundancy. Note that you cannot increase redundancy beyond four domain controllers for a single domain by adding multiple group mapping configurations for that domain.
- If you have multiple domains and/or multiple forests, you must create a group mapping configuration with an LDAP server profile that connects the firewall to a domain server in each domain/forest. Take steps to ensure unique usernames in separate forests.
- If you have Universal Groups, create an LDAP server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL, then create another LDAP server profile to connect to the root domain controllers on port 389. This helps ensure that users and group information is available for all domains and subdomains.
- Before using group mapping, configure a Primary Username for user-based security policies, since this attribute will identify users in the policy configuration, logs, and reports.
- Add
an LDAP server profile.The profile defines how the firewall connects to the directory servers from which it collects group mapping information.If you create multiple group mapping configurations that use the same base distinguished name (DN) or LDAP server, the group mapping configurations cannot contain overlapping groups (for example, the Include list for one group mapping configuration cannot contain a group that is also in a different group mapping configuration).
- Select DeviceServer ProfilesLDAP and Add a server profile.
- Enter a Profile Name to identify the server profile.
- Add the LDAP servers. You can add up to four servers to the profile but they must be the same Type. For each server, enter a Name (to identify the server), LDAP Server IP address or FQDN, and server Port (default 389).
- Select the server Type.Based on your selection (such as active-directory), the firewall automatically populates the correct LDAP attributes in the group mapping settings. However, if you customized your LDAP schema, you might need to modify the default settings.
- For the Base DN, enter the Distinguished Name (DN) of the LDAP tree location where you want the firewall to start searching for user and group information.
- For the Bind DN, Password and Confirm
Password, enter the authentication credentials for binding
to the LDAP tree.The Bind DN can be a fully qualified LDAP name (such as cn=administrator,cn=users,dc=acme,dc=local) or a user principal name (such as administrator@acme.local).
- Enter the Bind Timeout and Search Timeout in seconds (default is 30 for both).
- Click OK to save the server profile.
- Configure the server settings in a group mapping configuration.
- Select DeviceUser IdentificationGroup Mapping Settings.
- Add the group mapping configuration.
- Enter a unique Name to identify the group mapping configuration.
- Select the LDAP Server Profile you just created.
- (Optional) Specify the Update Interval (in seconds). Enter a value (range is 60—86400, default is 3600) based on how often the firewall should be check the LDAP source for updates to the group mapping configuration. If the LDAP source contains many groups, a value that is too low may not allow enough time to map all the groups.
- (Optional) By default, the User
Domain field is blank: the firewall automatically detects
the domain names for Active Directory (AD) servers. If you enter
a value, it overrides any domain names that the firewall retrieves
from the LDAP source. For most configurations, if you need to enter
a value, enter the NetBIOS domain name (for example, example not example.com). If you use Global Catalog, entering a value replaces the domain name for all users and groups from this server, including those from other domains.
- (Optional) To filter the groups that the firewall tracks for group mapping, in the Group Objects section, enter a Search Filter (LDAP query) and Object Class (group definition).
- (Optional) To filter the users that the firewall tracks for group mapping, in the User Objects section, enter a Search Filter (LDAP query), and Object Class (user definition).
- Make sure the group mapping configuration is Enabled (default is enabled).
- Optional Define User and Group Attributes
to collect for user and group mapping. This step is required if
you want to map users based on directory attributes other than the
domain.
- If your User-ID sources only send the username
and the username is unique across the organization, select DeviceUser IdentificationUser MappingSetup and Edit the
Setup section to Allow matching usernames without domains to
allow the firewall to check if unique usernames collected from the
LDAP server during group mapping match the users associated with
a policy and avoid overwriting the domain in your source profile.Before enabling this option, configure group mapping for the LDAP group containing the User-ID source (such as GlobalProtect or Captive Portal) that collects the mappings. After you commit the changes, the User-ID source populates the usernames without domains. Only usernames collected during group mapping can be matched without a domain. If your User-ID sources send user information in multiple formats and you enable this option, verify that the attributes collected by the firewall have a unique prefix. To ensure users are identified correctly if you enable this option, all attributes for group mapping should be unique. If the username is not unique, the firewall logs an error in the Debug logs.
- Select DeviceUser IdentificationGroup Mapping SettingsAddUser and Group AttributesUser Attributes and enter the Directory
Attribute you want to collect for user identification.
Specify a Primary Username to identify the
user on the firewall and to represent the user in reports and logs
that will override any other format the firewall receives from the
User-ID source.When you select the Server Profile Type, the firewall auto-populates the values for the user and group attributes. Based on the user information that your User-ID sources send, you may need to configure the correct attributes:
- User Principal Name (UPN): userPrincipalName
- NetBios Name: sAMAccountName
- Email ID: Directory attribute for that email
- Multiple formats: Retrieve the user mapping attributes from the user directory before enabling your User-ID sources.
Attribute Active Directory Novell eDirectory or Sun ONE Directory Server Primary Username sAMAccountName uid E-Mail mail mail Alternate Username 1 userPrincipalName None. Group Name name cn Group Member member member - Optional Specify an E-Mail address format and up to three Alternate Username formats.
- Select DeviceUser IdentificationGroup Mapping SettingsAddUser and Group AttributesGroup Attributes and specify
the Group Name, Group Member,
and E-Mail address formats.You must commit before the firewall collects the directory attributes from the LDAP server.
- If your User-ID sources only send the username
and the username is unique across the organization, select DeviceUser IdentificationUser MappingSetup and Edit the
Setup section to Allow matching usernames without domains to
allow the firewall to check if unique usernames collected from the
LDAP server during group mapping match the users associated with
a policy and avoid overwriting the domain in your source profile.
- Limit which groups will be available in policy rules.Required only if you want to limit policy rules to specific groups. The combined maximum for the Group Include List and Custom Group list is 640 entries per group mapping configuration. Each entry can be a single group or a list of groups. By default, if you don’t specify groups, all groups are available in policy rules.Any custom groups you create will also be available in the Allow List of authentication profiles (Configure an Authentication Profile and Sequence).
- Add existing groups from the directory service:
- Select Group Include List.
- Select the Available Groups you want to appear in policy rules and add (
- If you want to base policy rules on user attributes
that don’t match existing user groups, create custom groups based
on LDAP filters:
- Select Custom Group and Add the group.
- Enter a group Name that is unique in the group mapping configuration for the current firewall or virtual system.If the Name has the same value as the Distinguished Name (DN) of an existing AD group domain, the firewall uses the custom group in all references to that name (such as in policies and logs).
- Specify an LDAP Filter of up to 2,048 UTF-8 characters and click OK.The firewall doesn’t validate LDAP filters, so it’s up to you to ensure they are accurate.To minimize the performance impact on the LDAP directory server, use only indexed attributes in the filter.
- Click OK to save your changes.You must commit before custom groups will be available in policies and objects.
- Add existing groups from the directory service:
- Commit your changes.You must commit before you can use custom groups in policies and objects and before the firewall can collect the attributes from the LDAP server.After configuring the firewall to retrieve group mapping information from an LDAP server, but before configuring policies based on the groups it retrieves, the best practice is to either wait for the firewall to refresh its group mappings cache or refresh the cache manually. To verify which groups you can currently use in policies, access the firewall CLI and run the show user group command. To determine when the firewall will next refresh the group mappings cache, run the show user group-mapping statistics command and check the Next Action. To manually refresh the cache, run the debug user-id refresh group-mapping all command.
- Verify that the user and group mapping has correctly
identified users.
- Select DeviceUser IdentificationGroup MappingGroup Include List to confirm the firewall has fetched all of the groups.
- To verify that all of the user attributes have been
correctly captured, use the following CLI command:
show user user-attributes user all
The normalized format for the User Principal Name (UPN), primary username, email attributes, and any configured alternate usernames display for all users:admin@PA-VM-8.1> show user user-attributes user all
Primary: nam\sam-user Email: sam-user@nam.com
Alt User Names:1) nam.com\sam-user
2) nam\sam-user-upn
3) sam-user-upn@nam.local
4) sam-user@nam.com
- Verify that the usernames are correctly displayed
in the Source User column under MonitorLogsTraffic.
- Verify that the users are mapped to the correct usernames
in the User Provided by Source column under MonitorLogsUser-ID.