Enable Group Mapping
Because the agent or app running on your end-user systems requires the user to successfully authenticate before being granted access to GlobalProtect, the identity of each GlobalProtect user is known. However, if you want to be able to define GlobalProtect configurations and/or security policies based ongroup membership, the firewall must retrieve the list of groups and the corresponding list of members from your directory server. This is known as
To enable this functionality, you must create an LDAP server profile that instructs the firewall how to connect and authenticate to the directory server and how to search the directory for the user and group information. After the firewall connects to the LDAP server and retrieves the group mappings, you can select groups when you define the agent configurations and security policies. The firewall supports a variety of LDAP directory servers, including Microsoft Active Directory (AD), Novell eDirectory, and Sun ONE Directory Server.
Use the following procedure to connect to your LDAP directory to enable the firewall to retrieve user-to-group mapping information:
- Create an LDAP Server Profile that specifies how to connect to the directory servers to which the firewall should connect to obtain group mapping information.
- Selectand clickDeviceServer ProfilesLDAPAdd.
- Enter aProfile Nameto identify the server profile.
- If this profile is for a firewall with multiple virtual systems capability, select a virtual system orSharedas theLocationwhere the profile is available.
- For each LDAP server (up to four),Addand enter aName(to identify the server), server IP address (LDAP Serverfield), and serverPort(default 389).
- Select the serverTypefrom the drop-down:active-directory,e-directory,sun, orother.
- If you want the device to use SSL or TLS for a more secure connection with the directory server, select theRequire SSL/TLS secured connectioncheck box (it is selected by default). The protocol that the device uses depends on the serverPort:
- Any other port—The device first attempts to use TLS. If the directory server doesn’t support TLS, the device falls back to SSL.
- For additional security, you can select theVerify Server Certificate for SSL sessionscheck box (it is cleared by default) so that the device verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you also have to select theRequire SSL/TLS secured connectioncheck box. For verification to succeed, the certificate must meet one of the following conditions:
- It is in the list of device certificates:Import the certificate into the device, if necessary.DeviceCertificate ManagementCertificatesDevice Certificates.
- The certificate signer is in the list of trusted certificate authorities:.DeviceCertificate ManagementCertificatesDefault Trusted Certificate Authorities
- Add the LDAP server profile to the User-ID Group Mapping configuration.
- Selectand clickDeviceUser IdentificationGroup Mapping SettingsAdd.
- Enter aNamefor the configuration.
- Select theServer Profileyou just created.
- Make sure theEnabledcheck box is selected.
- (Optional) Limit which groups can be selected in policy rules.By default, if you don’t specify groups, all groups are available in policy rules.
- Add existing groups from the directory service:
- Select theGroup Include Listtab.
- In the Available Groups list, select the groups you want to appear in policy rules and click the Add icon .
- If you want to base policy rules on user attributes that don’t match existing user groups, create custom groups based on LDAP filters:
- Select theCustom Grouptab and clickAdd.
- Enter a groupNamethat is unique in the group mapping configuration for the current firewall or virtual system. If theNamehas the same value as the Distinguished Name (DN) of an existing AD group domain, the firewall uses the custom group in all references to that name (for example, in policies and logs).
- Specify anLDAP Filterof up to 2,048 UTF-8 characters, then clickOK. The firewall doesn’t validate LDAP filters.To optimize LDAP searches and minimize the performance impact on the LDAP directory server, use indexed attributes and reduce the search scope to include the user and group objects that you require for policy or visibility. Alternatively, you can create custom groups based on LDAP filters.
- Commit your changes.ClickOKandCommit.