Device > User Identification > Group Mapping Settings
To base security policies and reports on users and user
groups, the firewall retrieves the list of groups and the corresponding
list of members specified and maintained on your directory servers.
The firewall supports a variety of LDAP directory servers, including
the Microsoft Active Directory (AD), the Novell eDirectory, and
the Sun ONE Directory Server.
The number of distinct user groups that each firewall or Panorama
can reference across all policies varies by model.
Before creating a group mapping configuration, you must configure
an LDAP server profile (Device > Server Profiles > LDAP).
The complete procedure to
map usernames to groups requires additional tasks besides creating
group mapping configurations.
Click
Add
and complete the following fields
to create a group mapping configuration. To remove a group mapping
configuration, select and Delete
it. If you want
to disable a group mapping configuration without deleting it, edit
the configuration and clear the Enabled
option.If you create multiple group mapping configurations that use
the same base distinguished name (DN) or LDAP server, the group
mapping configurations cannot contain overlapping groups (for example,
the Include list for one group mapping configuration cannot contain
a group that is also in a different group mapping configuration).
Group Mapping Settings—Server
Profile | Configured In | Description |
|---|---|---|
Name | Enter a name to identify the group mapping
configuration (up to 31 characters). The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores. | |
Server Profile | Select the LDAP server profile to use for group
mapping on this firewall. | |
Update Interval | Specify the interval in seconds after which
the firewall will initiate a connection with the LDAP directory
server to obtain any updates that were made to the groups that firewall
policies use (range is 60 to 86,400). | |
User Domain | By default, the User Domain field
is blank: the firewall automatically detects the domain names for Active
Directory servers. If you enter a value, it overrides any domain
names that the firewall retrieves from the LDAP source. Your entry
must be the NetBIOS name.This field only affects the usernames
and group names retrieved from the LDAP source. To override the
domain associated with a username for user authentication, configure
the User Domain and Username Modifier for
the authentication profile you assign to that user (see Device > Authentication Profile). | |
Group Objects |
| |
User Objects |
| |
Enabled | Select this option to enable server profile
for group mapping. | |
User Attributes | Specify the attributes to identify users:
| |
Group Attributes | Specify the attributes that will identify groups:
| |
Available Groups | Use these fields to limit
the number of groups that the firewall displays when you create
a security rule. Browse the LDAP tree to find the groups you want
to use in rules. To include a group, select it in the Available Groups
list and Add (
) it.
To remove a group from the list, select it in the Included Groups
list and Delete (
) it.Include only the groups you need so that
the firewall retrieves user group mappings for only the necessary
groups and not for the whole tree from the LDAP directory. | |
Included Groups | ||
Name | Create custom groups based
on LDAP filters so that you can base firewall policies on user attributes
that don’t match existing user groups in the LDAP directory. The
User-ID service maps all the LDAP directory users who match the
filter to the custom group. If you create a custom group with the
same Distinguished Name (DN) as an existing Active Directory group
domain name, the firewall uses the custom group in all references
to that name (for example, in policies and logs). To create a custom
group, click Add and configure the following
fields:
Use only indexed
attributes in the filter to expedite LDAP searches and minimize
the performance impact on the LDAP directory server; the firewall
does not validate LDAP filters. The combined maximum
for the Included Groups and Custom
Group lists is 640 entries.To delete a custom
group, select and Delete it. To make a copy
of a custom group, select and Clone it, and
edit the fields as appropriate.After
adding or cloning a custom group, you must Commit your changes
before your new custom group is available in policies and objects. | |
LDAP Filter |
