1. Home
    2. PAN-OS
    3. PAN-OS® Administrator's Guide
    4. User-ID
    5. Map Users to Groups

    Map Users to Groups

    Defining policy rules based on user group membership rather than individual users simplifies administration because you don’t have to update the rules whenever group membership changes. The number of distinct user groups that each firewall or Panorama can reference across all policies varies by model:
    • VM-50, VM-100, VM-300, PA-200, PA-220, PA-500, PA-800 Series, PA-3020, and PA-3050 firewalls: 1,000 groups
    • VM-500, VM-700, PA-5020, PA-5050, PA-5060, PA-5200 Series, and PA-7000 Series firewalls, and all Panorama models: 10,000 groups
    Use the following procedure to enable the firewall to connect to your LDAP directory and retrieve Group Mapping information. You can then Enable User- and Group-Based Policy.
    The following are best practices for group mapping in an Active Directory (AD) environment:
    • If you have a single domain, you need only one group mapping configuration with an LDAP server profile that connects the firewall to the domain controller with the best connectivity. You can add up to four domain controllers to the LDAP server profile for redundancy. Note that you cannot increase redundancy beyond four domain controllers for a single domain by adding multiple group mapping configurations for that domain.
    • If you have multiple domains and/or multiple forests, you must create a group mapping configuration with an LDAP server profile that connects the firewall to a domain server in each domain/forest. Take steps to ensure unique usernames in separate forests.
    • If you have Universal Groups, create an LDAP server profile to connect to the Global Catalog server.
    1. Add an LDAP server profile.
      The profile defines how the firewall connects to the directory servers from which it collects group mapping information.
      1. Select
        Device
        Server Profiles
        LDAP
         and
        Add
         a server profile.
      2. Enter a
        Profile Name
         to identify the server profile.
      3. Add
         the LDAP servers. You can add up to four servers to the profile but they must be the same
        Type
        . For each server, enter a
        Name
         (to identify the server),
        LDAP Server
         IP address or FQDN, and server
        Port
         (default 389).
      4. Select the server
        Type
        .
        Based on your selection (such as
        active-directory
        ), the firewall automatically populates the correct LDAP attributes in the group mapping settings. However, if you customized your LDAP schema, you might need to modify the default settings.
      5. For the
        Base DN
        , enter the Distinguished Name (DN) of the LDAP tree location where you want the firewall to start searching for user and group information.
      6. For the
        Bind DN
        ,
        Password
         and
        Confirm Password
        , enter the authentication credentials for binding to the LDAP tree.
        The
        Bind DN
         can be a fully qualified LDAP name (such as
        cn=administrator,cn=users,dc=acme,dc=local
        ) or a user principal name (such as
        administrator@acme.local
        ).
      7. Enter the
        Bind Timeout
         and
        Search Timeout
         in seconds (default is 30 for both).
      8. Click
        OK
         to save the server profile.
    2. Configure the server settings in a group mapping configuration.
      1. Select
        Device
        User Identification
        Group Mapping Settings
        .
      2. Add
         the group mapping configuration.
      3. Enter a unique
        Name
         to identify the group mapping configuration.
      4. Select the LDAP
        Server Profile
         you just created.
      5. (
        Optional
        ) By default, the
        User Domain
         field is blank: the firewall automatically detects the domain names for Active Directory (AD) servers. If you enter a value, it overrides any domain names that the firewall retrieves from the LDAP source. Your entry must be the NetBIOS domain name.
      6. (
        Optional
        ) To filter the groups that the firewall tracks for group mapping, in the Group Objects section, enter a
        Search Filter
         (LDAP query),
        Object Class
         (group definition),
        Group Name
        , and
        Group Member
        .
      7. (
        Optional
        ) To filter the users that the firewall tracks for group mapping, in the User Objects section, enter a
        Search Filter
         (LDAP query),
        Object Class
         (user definition), and
        User Name
        .
      8. (
        Optional
        ) To match User-ID information with email header information identified in the links and attachments of emails forwarded to WildFire™, enter the list of email domains (
        Domain List
        ) in your organization. Use commas to separate multiple domains (up to 256 characters).
        After you click
        OK
         (later in this procedure), PAN-OS automatically populates the
        Mail Attributes
         based on the type of LDAP server specified in the
        Server Profile
        . When a match occurs, the username in the WildFire log email header section will contain a link that opens the
        ACC
         tab, filtered by user or user group.
      9. Make sure the group mapping configuration is
        Enabled
         (default is enabled).
    3. Limit which groups will be available in policy rules.
      Required only if you want to limit policy rules to specific groups. The combined maximum for the
      Group Include List
       and
      Custom Group
       list is 640 entries per group mapping configuration. Each entry can be a single group or a list of groups. By default, if you don’t specify groups, all groups are available in policy rules.
      Any custom groups you create will also be available in the Allow List of authentication profiles (Configure an Authentication Profile and Sequence).
      1. Add existing groups from the directory service:
        1. Select
          Group Include List
          .
        2. Select the Available Groups you want to appear in policy rules and add ( add_icon.png ) them to the Included Groups.
      2. If you want to base policy rules on user attributes that don’t match existing user groups, create custom groups based on LDAP filters:
        1. Select
          Custom Group
           and
          Add
           the group.
        2. Enter a group
          Name
           that is unique in the group mapping configuration for the current firewall or virtual system.
          If the
          Name
           has the same value as the Distinguished Name (DN) of an existing AD group domain, the firewall uses the custom group in all references to that name (such as in policies and logs).
        3. Specify an
          LDAP Filter
           of up to 2,048 UTF-8 characters and click
          OK
          .
          The firewall doesn’t validate LDAP filters, so it’s up to you to ensure they are accurate.
          To minimize the performance impact on the LDAP directory server, use only indexed attributes in the filter.
      3. Click
        OK
         to save your changes.
        A commit is necessary before custom groups will be available in policies and objects.
    4. Commit
       your changes.
      A commit is necessary before you can use custom groups in policies and objects.
      After configuring the firewall to retrieve group mapping information from an LDAP server, but before configuring policies based on the groups it retrieves, the best practice is to either wait for the firewall to refresh its group mappings cache or refresh the cache manually. To verify which groups you can currently use in policies, access the firewall CLI and run the
      show user group
       command. To determine when the firewall will next refresh the group mappings cache, run the
      show user group-mapping statistics
       command and check the
      Next Action
      . To manually refresh the cache, run the
      debug user-id refresh group-mapping all
       command.

    Related Documentation

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo