Map Users to Groups
Defining policy rules based on user group membership rather than individual users simplifies administration because you don’t have to update the rules whenever group membership changes. The number of distinct user groups that each firewall or Panorama can reference across all policies varies by model. For more information, refer to the Compatibility Matrix.
The following are best practices for group mapping in an Active Directory (AD) environment:
- If you have a single domain, you need only one group mapping configuration with an LDAP server profile that connects the firewall to the domain controller with the best connectivity. You can add up to four domain controllers to the LDAP server profile for redundancy. Note that you cannot increase redundancy beyond four domain controllers for a single domain by adding multiple group mapping configurations for that domain.
- If you have multiple domains and/or multiple forests, you must create a group mapping configuration with an LDAP server profile that connects the firewall to a domain server in each domain/forest. Take steps to ensure unique usernames in separate forests.
- If you have Universal Groups, create an LDAP server profile to connect to the Global Catalog server.
- Before using group mapping, configure aPrimary Usernamefor user-based security policies, since this attribute will identify users in the policy configuration, logs, and reports.
- Add an LDAP server profile.The profile defines how the firewall connects to the directory servers from which it collects group mapping information.
- SelectandDeviceServer ProfilesLDAPAdda server profile.
- Enter aProfile Nameto identify the server profile.
- Addthe LDAP servers. You can add up to four servers to the profile but they must be the sameType. For each server, enter aName(to identify the server),LDAP ServerIP address or FQDN, and serverPort(default 389).
- Select the serverType.Based on your selection (such asactive-directory), the firewall automatically populates the correct LDAP attributes in the group mapping settings. However, if you customized your LDAP schema, you might need to modify the default settings.
- For theBase DN, enter the Distinguished Name (DN) of the LDAP tree location where you want the firewall to start searching for user and group information.
- For theBind DN,PasswordandConfirm Password, enter the authentication credentials for binding to the LDAP tree.TheBind DNcan be a fully qualified LDAP name (such ascn=administrator,cn=users,dc=acme,dc=local) or a user principal name (such firstname.lastname@example.org).
- Enter theBind TimeoutandSearch Timeoutin seconds (default is 30 for both).
- ClickOKto save the server profile.
- Configure the server settings in a group mapping configuration.
- Select.DeviceUser IdentificationGroup Mapping Settings
- Addthe group mapping configuration.
- Enter a uniqueNameto identify the group mapping configuration.
- Select the LDAPServer Profileyou just created.
- (Optional) By default, theUser Domainfield is blank: the firewall automatically detects the domain names for Active Directory (AD) servers. If you enter a value, it overrides any domain names that the firewall retrieves from the LDAP source. Your entry must be the NetBIOS domain name.
- (Optional) To filter the groups that the firewall tracks for group mapping, in the Group Objects section, enter aSearch Filter(LDAP query) andObject Class(group definition).
- (Optional) To filter the users that the firewall tracks for group mapping, in the User Objects section, enter aSearch Filter(LDAP query), andObject Class(user definition).
- Make sure the group mapping configuration isEnabled(default is enabled).
- (Optional)Define User and Group Attributes to collect for user and group mapping. This step is required if you want to map users based on directory attributes other than the domain.
- If your User-ID sources only send the username and the username is unique across the organization, selectandDeviceUser IdentificationUser MappingSetupEditthe Setup section toAllow matching usernames without domainsto allow the firewall to check if unique usernames collected from the LDAP server during group mapping match the users associated with a policy and avoid overwriting the domain in your source profile.Before enabling this option, configure group mapping for the LDAP group containing the User-ID source (such as GlobalProtect or Captive Portal) that collects the mappings. After you commit the changes, the User-ID source populates the usernames without domains. Only usernames collected during group mapping can be matched without a domain. If your User-ID sources send user information in multiple formats and you enable this option, verify that the attributes collected by the firewall have a unique prefix. To ensure users are identified correctly if you enable this option, all attributes for group mapping should be unique. If the username is not unique, the firewall logs an error in the Debug logs.
- Selectand enter theDeviceUser IdentificationGroup Mapping SettingsAddUser and Group AttributesUser AttributesDirectory Attributeyou want to collect for user identification. Specify aPrimary Usernameto identify the user on the firewall and to represent the user in reports and logs that will override any other format the firewall receives from the User-ID source.When you select the Server ProfileType, the firewall auto-populates the values for the user and group attributes. Based on the user information that your User-ID sources send, you may need to configure the correct attributes:
AttributeActive DirectoryNovell eDirectory or Sun ONE Directory ServerPrimary UsernamesAMAccountNameuidAlternate Username 1userPrincipalNameNone.Group NamenamecnGroup Membermembermember
- User Principal Name (UPN):userPrincipalName
- NetBios Name:sAMAccountName
- Email ID: Directory attribute for that email
- Multiple formats: Retrieve the user mapping attributes from the user directory before enabling your User-ID sources.
- (Optional)Specify anAlternate Usernameformats.
- Selectand specify theDeviceUser IdentificationGroup Mapping SettingsAddUser and Group AttributesGroup AttributesGroup Name,Group Member, andYou must commit before the firewall collects the directory attributes from the LDAP server.
- Limit which groups will be available in policy rules.Required only if you want to limit policy rules to specific groups. The combined maximum for theGroup Include ListandCustom Grouplist is 640 entries per group mapping configuration. Each entry can be a single group or a list of groups. By default, if you don’t specify groups, all groups are available in policy rules.
- Add existing groups from the directory service:
- SelectGroup Include List.
- Select the Available Groups you want to appear in policy rules and add ( ) them to the Included Groups.
- If you want to base policy rules on user attributes that don’t match existing user groups, create custom groups based on LDAP filters:
- SelectCustom GroupandAddthe group.
- Enter a groupNamethat is unique in the group mapping configuration for the current firewall or virtual system.If theNamehas the same value as the Distinguished Name (DN) of an existing AD group domain, the firewall uses the custom group in all references to that name (such as in policies and logs).
- Specify anLDAP Filterof up to 2,048 UTF-8 characters and clickOK.The firewall doesn’t validate LDAP filters, so it’s up to you to ensure they are accurate.To minimize the performance impact on the LDAP directory server, use only indexed attributes in the filter.
- ClickOKto save your changes.You must commit before custom groups will be available in policies and objects.
- Commityour changes.You must commit before you can use custom groups in policies and objects and before the firewall can collect the attributes from the LDAP server.After configuring the firewall to retrieve group mapping information from an LDAP server, but before configuring policies based on the groups it retrieves, the best practice is to either wait for the firewall to refresh its group mappings cache or refresh the cache manually. To verify which groups you can currently use in policies, access the firewall CLI and run theshow user groupcommand. To determine when the firewall will next refresh the group mappings cache, run theshow user group-mapping statisticscommand and check theNext Action. To manually refresh the cache, run thedebug user-id refresh group-mapping allcommand.
- Verify that the user and group mapping has correctly identified users.
- Selectto confirm the firewall has fetched all of the groups.DeviceUser IdentificationGroup MappingGroup Include List
- To verify that all of the user attributes have been correctly captured, use the following CLI command:show user user-attributes user allThe normalized format for the User Principal Name (UPN), primary username, email attributes, and any configured alternate usernames display for all users:admin@PA-VM-8.1> show user user-attributes user allPrimary: nam\sam-user Email: email@example.comAlt User Names:1) nam.com\sam-user2) nam\sam-user-upn3) firstname.lastname@example.org) email@example.com
- Verify that the usernames are correctly displayed in theSource Usercolumn under.MonitorLogsTraffic
- Verify that the users are mapped to the correct usernames in theUser Provided by Sourcecolumn under.MonitorLogsUser-ID
Support for Multiple Username Formats
Multiple username formats are now supported for User-ID sources when you specify the user attributes for the firewall to collect from an LDAP directory. ...
Device > User Identification > Group Mapping Settings
Device > User Identification > Group Mapping Settings To base security policies and reports on users and user groups, the firewall retrieves the list of ...
User-ID Changes in PAN-OS 8.1
In PAN-OS 8.1, usernames are now displayed in their original UPN format and a Primary Username is required. Some User Mapping and Group Mapping options ...
Configure User-ID for Numerous Mapping Information Sources
Configure User-ID for Numerous Mapping Information Sources Configure Windows Log Forwarding on the member servers that will collect login events. Configure Windows Log Forwarding . ...
Group Mapping To define policy rules based on user or group, first you create an LDAP server profile that defines how the firewall connects and ...
Enable Group Mapping
Enable Group Mapping Because the agent or app running on your end-user systems requires the user to successfully authenticate before being granted access to GlobalProtect, ...
Enable Policy for Users with Multiple Accounts
Enable Policy for Users with Multiple Accounts If a user in your organization has multiple responsibilities, that user might have multiple usernames (accounts), each with ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
Ports Used for User-ID
Ports Used for User-ID User-ID is a feature that enables mapping of user IP addresses to usernames and group memberships, enabling user- or group-based policy ...