Map Users to Groups

Defining policy rules based on user group membership rather than individual users simplifies administration because you don’t have to update the rules whenever group membership changes. Use the following procedure to enable the firewall to connect to your LDAP directory and retrieve Group Mapping information. You can then Enable User- and Group-Based Policy.
The following are best practices for group mapping in an Active Directory (AD) environment:
  • If you have a single domain, you need only one group mapping configuration with an LDAP server profile that connects the firewall to the domain controller with the best connectivity. You can add up to four domain controllers to the LDAP server profile for redundancy. Note that you cannot increase redundancy beyond four domain controllers for a single domain by adding multiple group mapping configurations for that domain.
  • If you have multiple domains and/or multiple forests, you must create a group mapping configuration with an LDAP server profile that connects the firewall to a domain server in each domain/forest. Take steps to ensure unique usernames in separate forests.
  • If you have Universal Groups, create an LDAP server profile to connect to the Global Catalog server.
  1. Add an LDAP server profile.
    The profile defines how the firewall connects to the directory servers from which it collects group mapping information. You can add up to four servers to the profile but they must be the same
    Type
    .
    1. Select
      Device
      Server Profiles
      LDAP
      , click
      Add
      , and enter a
      Profile Name
      .
    2. For each LDAP server, click
      Add
      and enter the server
      Name
      , IP address (
      LDAP Server
      ), and
      Port
      (default is 389).
    3. Based on your
      Type
      selection (for example,
      active-directory
      ), the firewall automatically populates the correct LDAP attributes in the group mapping settings. However, if you customized your LDAP schema, you might need to modify the default settings.
    4. In the
      Base DN
      field, enter the Distinguished Name (DN) of the LDAP tree location where you want the firewall to begin its search for user and group information.
    5. Enter the authentication credentials for binding to the LDAP tree in the
      Bind DN
      ,
      Password
      , and
      Confirm Password
      fields. The
      Bind DN
      can be a fully qualified LDAP name (for example,
      cn=administrator,cn=users,dc=acme,dc=local
      ) or a user principal name (for example,
      administrator@acme.local
      ).
    6. Click
      OK
      to save the profile.
  2. Configure the server settings in a group mapping configuration.
    1. Select
      Device
      User Identification
      Group Mapping Settings
      .
    2. Select a virtual system (
      Location
      ) if the firewall has multiple.
    3. Click
      Add
      and enter a unique
      Name
      to identify the group mapping configuration.
    4. Select the LDAP
      Server Profile
      you just created.
    5. (
      Optional
      ) By default, the
      User Domain
      field is blank: the firewall automatically detects the domain names for Active Directory (AD) servers. If you enter a value, it overrides any domain names that the firewall retrieves from the LDAP source. Your entry must be the NetBIOS domain name.
    6. (
      Optional
      ) To filter the groups that the firewall tracks for group mapping, in the Group Objects section, enter a
      Search Filter
      (LDAP query),
      Object Class
      (group definition),
      Group Name
      , and
      Group Member
      .
    7. (
      Optional
      ) To filter the users that the firewall tracks for group mapping, in the User Objects section, enter a
      Search Filter
      (LDAP query),
      Object Class
      (user definition), and
      User Name
      .
    8. (
      Optional
      ) To match User-ID information with email header information identified in the links and attachments of emails forwarded to WildFire™, enter the list of email domains in your organization in the Mail Domains section,
      Domain List
      field. Use commas to separate multiple domains (up to 256 characters). After you click
      OK
      , PAN-OS automatically populates the
      Mail Attributes
      field based on your LDAP server type (Sun/RFC, Active Directory, or Novell). When a match occurs, the username in the WildFire log email header section will contain a link that opens the
      ACC
      tab, filtered by user or user group.
    9. Make sure the
      Enabled
      check box is selected.
  3. Limit which groups will be available in policy rules.
    Required only if you want to limit policy rules to specific groups. By default, if you don’t specify groups, all groups are available in policy rules.
    Any custom groups you create will also be available in the Allow List of authentication profiles.
    1. Add existing groups from the directory service:
      1. Select the
        Group Include List
        tab.
      2. In the Available Groups list, select the groups you want to appear in policy rules and click the Add icon.
    2. If you want to base policy rules on user attributes that don’t match existing user groups, create custom groups based on LDAP filters:
      1. Select the
        Custom Group
        tab and click
        Add
        .
      2. Enter a group
        Name
        that is unique in the group mapping configuration for the current firewall or virtual system. If the
        Name
        has the same value as the Distinguished Name (DN) of an existing AD group domain, the firewall uses the custom group in all references to that name (for example, in policies and logs).
      3. Specify an
        LDAP Filter
        of up to 2,048 UTF-8 characters and click
        OK
        . The firewall doesn’t validate LDAP filters, so it’s up to you to ensure they are accurate.
        To minimize the performance impact on the LDAP directory server, use only indexed attributes in the filter.
    3. Click
      OK
      to save your changes.
  4. Commit your changes.
    Click
    Commit
    . A commit is necessary before you can use custom groups in policies and objects.
    After configuring the firewall to retrieve group mapping information from an LDAP server, but before configuring policies based on the groups it retrieves, you must either wait for the firewall to refresh its group mappings cache or refresh the cache manually. To verify which groups you can currently use in policies,access the firewall CLI and run the
    show user group
    command. To determine when the firewall will next refresh the group mappings cache, run the
    show user group-mapping statistics
    command and check the
    Next Action
    . To manually refresh the cache, run the
    debug user-id refresh group-mappingall
    command.

Related Documentation