Enable Group Mapping
Because the agent or app running on your end-user systems requires the user to successfully authenticate before being granted access to GlobalProtect, the identity of each GlobalProtect user is known. However, if you want to be able to define GlobalProtect configurations and/or security policies based on group membership, the firewall must retrieve the list of groups and the corresponding list of members from your directory server. This is known as group mapping.
To enable this functionality, you must create an LDAP server profile that instructs the firewall how to connect and authenticate to the directory server and how to search the directory for the user and group information. After the firewall connects to the LDAP server and retrieves the group mappings, you can select groups when you define the agent configurations and security policies. The firewall supports a variety of LDAP directory servers, including Microsoft Active Directory (AD), Novell eDirectory, and Sun ONE Directory Server.
Use the following procedure to connect to your LDAP directory to enable the firewall to retrieve user-to-group mapping information:
- Create an LDAP Server Profile that specifies how
to connect to the directory servers to which the firewall should
connect to obtain group mapping information.
- Select DeviceServer ProfilesLDAP and click Add.
- Enter a Profile Name to identify the server profile.
- If this profile is for a firewall with multiple virtual systems capability, select a virtual system or Shared as the Location where the profile is available.
- For each LDAP server (up to four), Add and enter a Name (to identify the server), server IP address (LDAP Server field), and server Port (default 389).
- Select the server Type from the drop-down: active-directory, e-directory, sun, or other.
- If you want the device to use SSL or TLS for a more
secure connection with the directory server, select the Require
SSL/TLS secured connection check box (it is selected by
default). The protocol that the device uses depends on the server Port:
- 389 (default)—TLS (Specifically, the device uses the StartTLS operation, which upgrades the initial plaintext connection to TLS.)
- Any other port—The device first attempts to use TLS. If the directory server doesn’t support TLS, the device falls back to SSL.
- For additional security, you can select the Verify
Server Certificate for SSL sessions check box (it is
cleared by default) so that the device verifies the certificate
that the directory server presents for SSL/TLS connections. To enable
verification, you also have to select the Require SSL/TLS
secured connection check box. For verification to succeed,
the certificate must meet one of the following conditions:
- It is in the list of device certificates: DeviceCertificate ManagementCertificatesDevice Certificates. Import the certificate into the device, if necessary.
- The certificate signer is in the list of trusted certificate authorities: DeviceCertificate ManagementCertificatesDefault Trusted Certificate Authorities.
- Click OK.
- Add the LDAP server profile to the User-ID Group Mapping
- Select DeviceUser IdentificationGroup Mapping Settings and click Add.
- Enter a Name for the configuration.
- Select the Server Profile you just created.
- Make sure the Enabled check box is selected.
- (Optional) Limit which groups can be selected in policy
rules.By default, if you don’t specify groups, all groups are available in policy rules.
- Add existing groups from the directory service:
- Select the Group Include List tab.
- In the Available Groups list, select the groups you want to appear in policy rules and click the Add icon .
- If you want to base policy rules on user attributes
that don’t match existing user groups, create custom groups based
on LDAP filters:
- Select the Custom Group tab and click Add.
- Enter a group Name that is unique in the group mapping configuration for the current firewall or virtual system. If the Name has the same value as the Distinguished Name (DN) of an existing AD group domain, the firewall uses the custom group in all references to that name (for example, in policies and logs).
- Specify an LDAP Filter of up to 2,048 UTF-8 characters, then click OK. The firewall doesn’t validate LDAP filters.To optimize LDAP searches and minimize the performance impact on the LDAP directory server, use only indexed attributes in the filter.
- Add existing groups from the directory service:
- Commit your changes.Click OK and Commit.
Device > Server Profiles > LDAP
Device > Server Profiles > LDAP Device > Server Profiles > LDAP Panorama > Server Profiles > LDAP Select Device > Server Profiles > LDAP ...
Device > User Identification > Group Mapping Settings
Device > User Identification > Group Mapping Settings To base security policies on user or group, the firewall must retrieve the list of groups and ...
Enable Two-Factor Authentication Using Certificate and Auth...
Enable Two-Factor Authentication Using Certificate and Authentication Profiles The following workflow describes how to configure GlobalProtect client authentication requiring the user to authenticate both to ...
Set Up External Authentication
Set Up External Authentication The following workflow describes how to set up the GlobalProtect portal and gateways to use an external authentication service. The supported ...
User Group Capacity Increase
User Group Capacity Increase On PA-5060 and PA-7000 Series firewalls that are configured without multiple virtual systems (feature is disabled), you can now base policies ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
Device > User Identification > User Mapping
Device > User Identification > User Mapping Configure the PAN-OS integrated User-ID agent that runs on the firewall to collect user mapping information. What do ...
Remote Access VPN (Authentication Profile)
Remote Access VPN (Authentication Profile) In the Figure: GlobalProtect VPN for Remote Access , the GlobalProtect portal and gateway are configured on ethernet1/2, so this ...
Device > User Identification > User-ID Agents
Device > User Identification > User-ID Agents The firewall can receive user mappings from Windows-based User-ID agents or from other firewalls serving as User-ID agents. ...