Enable Group Mapping

Because the agent or app running on your end-user systems requires the user to successfully authenticate before being granted access to GlobalProtect, the identity of each GlobalProtect user is known. However, if you want to be able to define GlobalProtect configurations and/or security policies based ongroup_membership, the firewall must retrieve the list of groups and the corresponding list of members from your directory server. This is known as
group mapping
.
To enable this functionality, you must create an LDAP server profile that instructs the firewall how to connect and authenticate to the directory server and how to search the directory for the user and group information. After the firewall connects to the LDAP server and retrieves the group mappings, you can select groups when you define the agent configurations and security policies. The firewall supports a variety of LDAP directory servers, including Microsoft Active Directory (AD), Novell eDirectory, and Sun ONE Directory Server.
Use the following procedure to connect to your LDAP directory to enable the firewall to retrieve user-to-group mapping information:
  1. Create an LDAP Server Profile that specifies how to connect to the directory servers to which the firewall should connect to obtain group mapping information.
    1. Select
      Device
      Server Profiles
      LDAP
      and click
      Add
      .
    2. Enter a
      Profile Name
      to identify the server profile.
    3. If this profile is for a firewall with multiple virtual systems capability, select a virtual system or
      Shared
      as the
      Location
      where the profile is available.
    4. For each LDAP server (up to four),
      Add
      and enter a
      Name
      (to identify the server), server IP address (
      LDAP Server
      field), and server
      Port
      (default 389).
    5. Select the server
      Type
      from the drop-down:
      active-directory
      ,
      e-directory
      ,
      sun
      , or
      other
      .
    6. If you want the device to use SSL or TLS for a more secure connection with the directory server, select the
      Require SSL/TLS secured connection
      check box (it is selected by default). The protocol that the device uses depends on the server
      Port
      :
      • 389 (default)—TLS (Specifically, the device uses the StartTLS operation, which upgrades the initial plaintext connection to TLS.)
      • 636—SSL
      • Any other port—The device first attempts to use TLS. If the directory server doesn’t support TLS, the device falls back to SSL.
    7. For additional security, you can select the
      Verify Server Certificate for SSL sessions
      check box (it is cleared by default) so that the device verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you also have to select the
      Require SSL/TLS secured connection
      check box. For verification to succeed, the certificate must meet one of the following conditions:
      • It is in the list of device certificates:
        Device
        Certificate Management
        Certificates
        Device Certificates.
        Import the certificate into the device, if necessary.
      • The certificate signer is in the list of trusted certificate authorities:
        Device
        Certificate Management
        Certificates
        Default Trusted Certificate Authorities
        .
    8. Click
      OK
      .
  2. Add the LDAP server profile to the User-ID Group Mapping configuration.
    1. Select
      Device
      User Identification
      Group Mapping Settings
      and then
      Add
      a new group mapping configuration.
    2. Select
      Server Profile
      .
    3. Enter a
      Name
      for the group mapping configuration.
    4. Select the
      Server Profile
      you just created.
    5. Specify the
      Update Interval
      (in seconds) after which the firewall initiates a connection with the LDAP directory server to obtain any updates that are made to the groups that the firewall policies use (range of 60 to 86,400 seconds).
    6. Make sure the server profile is
      Enabled
      for group mapping.
  3. (
    Optional
    ) Enable GlobalProtect to retrieve serial numbers from the directory server.
    GlobalProtect can identify the status of connecting endpoints and enforce HIP-based security policies based on the presence of the endpoint serial number. If an endpoint is managed, you can bind the serial number of the endpoint to the machine account of the endpoint in your directory server. The firewall can then pre-fetch the serial numbers for these managed endpoints when it retrieves group mapping information from the directory server.
    1. From your group mapping configuration, select
      Server Profile
      .
    2. Enable the option to
      Fetch list of managed devices
      .
  4. (
    Optional
    ) Specify attributes to identify users and user groups.
    1. From your group mapping configuration, select
      User and Group Attributes
      .
    2. In the User Attributes area, specify the
      Primary Username
      ,
      E-Mail
      , and
      Alternate Username 1-3
      used to identify individual users.
    3. In the Group Attributes area, specify the
      Group Name
      ,
      Group Member
      , and
      E-Mail
      used to identify user groups.
  5. (
    Optional
    ) Limit which groups can be selected in policy rules.
    By default, if you don’t specify groups, all groups are available in policy rules.
    1. Add existing groups from the directory service:
      1. From your group mapping configuration, select
        Group Include List
        .
      2. In the Available Groups list, select the groups you want to appear in policy rules, and then click the Add ( add_icon.png ) icon to move the group to the Included Groups list.
    2. If you want to base policy rules on user attributes that don’t match existing user groups, create custom groups based on LDAP filters:
      1. From your group mapping configuration, select
        Custom Group
        .
      2. Add
        a new custom group.
      3. Enter a group
        Name
        that is unique in the group mapping configuration for the current firewall or virtual system. If the
        Name
        has the same value as the Distinguished Name (DN) of an existing AD group domain, the firewall uses the custom group in all references to that name (for example, in policies and logs).
      4. Specify an
        LDAP Filter
        of up to 2,048 UTF-8 characters, then click
        OK
        . The firewall doesn’t validate LDAP filters.
        To optimize LDAP searches and minimize the performance impact on the LDAP directory server, use indexed attributes and reduce the search scope to include the user and group objects that you require for policy or visibility. Alternatively, you can create custom groups based on LDAP filters.
  6. Commit your changes.
    Click
    OK
    and
    Commit
    .

Related Documentation