Device > User Identification > Group Mapping Settings
To base security policies and reports on users and user groups, the firewall retrieves the list of groups and the corresponding list of members specified and maintained on your directory servers. The firewall supports a variety of LDAP directory servers, including the Microsoft Active Directory (AD), the Novell eDirectory, and the Sun ONE Directory Server.
The number of distinct user groups that each firewall or Panorama can reference across all policies varies by model:
- VM-50, VM-100, VM-300, PA-200, PA-220, PA-500, PA-800 Series, PA-3020, and PA-3050 firewalls: 1,000 groups
- VM-500, VM-700, PA-5020, PA-5050, PA-5060, PA-5200 Series, and PA-7000 Series firewalls, and all Panorama models: 10,000 groups
Before creating a group mapping configuration, you must configure an LDAP server profile (Device > Server Profiles > LDAP).
The complete procedure to map usernames to groups requires additional tasks besides creating group mapping configurations.
Click Add and complete the following fields to create a group mapping configuration. To remove a group mapping configuration, select and Delete it. If you want to disable a group mapping configuration without deleting it, edit the configuration and clear the Enabled option.
Group Mapping Settings—Server Profile
DeviceUser IdentificationGroup Mapping Settings
Enter a name to identify the group mapping configuration (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
DeviceUser IdentificationGroup Mapping SettingsServer Profile
Select the LDAP server profile to use for group mapping on this firewall.
Specify the interval in seconds after which the firewall will initiate a connection with the LDAP directory server to obtain any updates that were made to the groups that firewall policies use (range is 60 to 86,400).
By default, the User Domain field is blank: the firewall automatically detects the domain names for Active Directory servers. If you enter a value, it overrides any domain names that the firewall retrieves from the LDAP source. Your entry must be the NetBIOS name.
This field only affects the usernames and group names retrieved from the LDAP source. To override the domain associated with a username for user authentication, configure the User Domain and Username Modifier for the authentication profile you assign to that user (see Device > Authentication Profile).
When the firewall receives a WildFire™ log for a malicious email, the email recipient information in the log is matched against user mapping information from the User-ID agent. The log contains a link to the user that, when clicked, displays the ACC filtered by the user. If the email is sent to a distribution list, the ACC is filtered by the members contained in the list.
The email header and user mapping information will help you quickly track and thwart threats that arrive through email by making it easier to identify the users who received the email.
Select this option to enable server profile for group mapping.
DeviceUser IdentificationGroup Mapping SettingsGroup Include List
Use these fields to limit the number of groups that the firewall displays when you create a security rule. Browse the LDAP tree to find the groups you want to use in rules. To include a group, select it in the Available Groups list and Add ( ) it. To remove a group from the list, select it in the Included Groups list and Delete ( ) it.
The combined maximum for the Included Groups and Custom Group lists is 640 entries for each group mapping configuration.
DeviceUser IdentificationGroup Mapping SettingsCustom Group
Create custom groups based on LDAP filters so that you can base firewall policies on user attributes that don’t match existing user groups in the LDAP directory.
The User-ID service maps all the LDAP directory users who match the filter to the custom group. If you create a custom group with the same Distinguished Name (DN) as an existing Active Directory group domain name, the firewall uses the custom group in all references to that name (for example, in policies and logs). To create a custom group, click Add and configure the following fields:
Use only indexed attributes in the filter to expedite LDAP searches and minimize the performance impact on the LDAP directory server; the firewall does not validate LDAP filters.
The combined maximum for the Included Groups and Custom Group lists is 640 entries.
To delete a custom group, select and Delete it. To make a copy of a custom group, select and Clone it, and edit the fields as appropriate.
After adding or cloning a custom group, you must Commit your changes before your new custom group is available in policies and objects.
Map Users to Groups
Map Users to Groups Defining policy rules based on user group membership rather than individual users simplifies administration because you don’t have to update the ...
Group Mapping To define policy rules based on user or group, first you create an LDAP server profile that defines how the firewall connects and ...
Enable Group Mapping
Enable Group Mapping Because the agent or app running on your end-user systems requires the user to successfully authenticate before being granted access to GlobalProtect, ...
Configure User-ID for Numerous Mapping Information Sources
Configure User-ID for Numerous Mapping Information Sources Configure Windows Log Forwarding on the member servers that will collect login events. Configure Windows Log Forwarding . ...
Include User-ID Information in WildFire Logs and Reports
Include User-ID Information in WildFire Logs and Reports Enable the firewall to match User-ID information with email header information, so that the User-ID for the ...
Enable Policy for Users with Multiple Accounts
Enable Policy for Users with Multiple Accounts If a user in your organization has multiple responsibilities, that user might have multiple usernames (accounts), each with ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
Enable User-ID The user identity, as opposed to an IP address, is an integral component of an effective security infrastructure. Knowing who is using each ...
Set Up LDAP Authentication
Set Up LDAP Authentication LDAP is often used by organizations as a central repository for user information and as an authentication service. It can also ...