Device > User Identification > Group Mapping Settings
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Device > User Identification > Group Mapping Settings
- DeviceUser IdentificationGroup Mapping Settings
To base security policies and reports on users and user groups,
the firewall retrieves the list of groups and the corresponding
list of members specified and maintained on your directory servers.
The firewall supports a variety of LDAP directory servers, including
the Microsoft Active Directory (AD), the Novell eDirectory, and
the Sun ONE Directory Server.
The number of distinct user groups that each firewall or Panorama
can reference across all policies varies by model. Regardless of model, though, you
must configure an LDAP server profile (Device > Server Profiles > LDAP) before
you can create a group mapping configuration.
The complete procedure for
mapping usernames to groups requires additional tasks besides creating
group mapping configurations.
Add and configure the following fields
as needed to create a group mapping configuration. To remove a group
mapping configuration, select and Delete it.
If you want to disable a group mapping configuration without deleting
it, edit the configuration and clear the Enabled option.
If you create multiple group mapping configurations that use
the same base distinguished name (DN) or LDAP server, the group
mapping configurations cannot contain overlapping groups (for example,
the Include list for one group mapping configuration cannot contain
a group that is also in a different group mapping configuration).
Group Mapping Settings—Server
Profile | Configured In | Description |
---|---|---|
Name | DeviceUser IdentificationGroup Mapping Settings | Enter a name to identify the group mapping
configuration (up to 31 characters). The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores. |
Server Profile | DeviceUser IdentificationGroup Mapping SettingsServer Profile | Select the LDAP server profile to use for
group mapping on this firewall. |
Update Interval | Specify the interval in seconds after which
the firewall will initiate a connection with the LDAP directory
server to obtain any updates that were made to the groups that firewall
policies use (range is 60 to 86,400). | |
User Domain | By default, User Domain is
blank: the firewall automatically detects the domain names for Active
Directory servers. If you enter a value, it overrides any domain
names that the firewall retrieves from the LDAP source. Your entry
must be the NetBIOS name. This field affects only the
usernames and group names retrieved from the LDAP source. To override
the domain associated with a username for user authentication, configure
the User Domain and Username Modifier for
the authentication profile you assign to that user (see Device > Authentication Profile). | |
Group Objects |
| |
User Objects |
| |
Enabled | Select this option to enable server profile
for group mapping. | |
Fetch list of managed devices | For GlobalProtect deployments, select this
option to allow the firewall to retrieve serial numbers from a directory
server (such as Active Directory). This enables GlobalProtect to
identify the status of connecting endpoints and enforce HIP-based security
policies based on the presence of the endpoint serial number. | |
User Attributes | Device > User Identification > Group Mapping Settings > User and Group Attributes | Specify the directory attributes to identify
users:
|
Group Attributes | Specify the attributes that the User-ID sources
use to identify groups:
| |
Available Groups | DeviceUser IdentificationGroup Mapping SettingsGroup Include List | Use these fields to limit
the number of groups that the firewall displays when you create
a security rule. Browse the LDAP tree to find the groups you want
to use in rules. To include a group, select and add ( Include
only the groups you need so that the firewall retrieves user group
mappings for only the necessary groups and not for the whole tree from
the LDAP directory. |
Included Groups | ||
Name | DeviceUser IdentificationGroup Mapping SettingsCustom Group | Create custom groups based
on LDAP filters so that you can base firewall policies on user attributes
that don’t match existing user groups in the LDAP directory. The
User-ID service maps all the LDAP directory users who match the
filter to the custom group. If you create a custom group with the
same Distinguished Name (DN) as an existing Active Directory group
domain name, the firewall uses the custom group in all references
to that name (for example, in policies and logs). To create a custom
group, Add and configure the following fields:
Use only indexed
attributes in the filter to expedite LDAP searches and minimize
the performance impact on the LDAP directory server; the firewall
does not validate LDAP filters. The combined maximum
for the Included Groups and Custom
Group lists is 640 entries. To delete a custom
group, select and Delete it. To make a copy
of a custom group, select and Clone it and
then edit the fields as appropriate. After
adding or cloning a custom group, you must Commit your changes
before your new custom group is available in policies and objects. |
LDAP Filter |