Configure User-ID for Numerous Mapping Information Sources
- Configure Windows Log Forwarding on the member servers that will collect login events.
- Install the Windows-based User-ID agent.Install the Windows-Based User-ID Agent on a Windows server that can access the member servers. Make sure the system that will host the User-ID agent is a member of the same domain as the servers it will monitor.
- Configure the User-ID agent to collect user mapping information from the member servers.
- Start the Windows-based User-ID agent.
- Selectand perform the following steps for each member server that will receive events from domain controllers:User IdentificationDiscovery
- In the Servers section, clickAddand enter aNameto identify the member server.
- In theServer Addressfield, enter the FQDN or IP address of the member server.
- For theServer Type, selectMicrosoft Active Directory.
- ClickOKto save the server entry.
- Configure the remaining User-ID agent settings: see Configure the Windows-Based User-ID Agent for User Mapping.
- If the User-ID sources provide usernames in multiple formats, specify the format for thePrimary Usernamewhen you Map Users to Groups.The primary username is the username that identifies the user on the firewall and represents the user in reports and logs, regardless of the format that the User-ID source provides.
- Configure an LDAP server profile to specify how the firewall connects to the Global Catalog servers (up to four) for group mapping information.To improve availability, use at least two Global Catalog servers for redundancy.You can collect group mapping information only for universal groups, not local domain groups (subdomains).
- Select, clickDeviceServer ProfilesLDAPAdd, and enter aNamefor the profile.
- In the Servers section, for each Global Catalog, clickAddand enter the serverName, IP address (LDAP Server), andPort. For a plaintext or Start Transport Layer Security (Start TLS) connection, usePort3268. For an LDAP over SSL connection, usePort3269. If the connection will use Start TLS or LDAP over SSL, select theRequire SSL/TLS secured connectioncheck box.
- In theBase DNfield, enter the Distinguished Name (DN) of the point in the Global Catalog server where the firewall will start searching for group mapping information (for example,DC=acbdomain,DC=com).
- For theType, selectactive-directory.
- Configure the remaining fields as necessary: see Add an LDAP server profile.
- Configure an LDAP server profile to specify how the firewall connects to the servers (up to four) that contain domain mapping information.User-ID uses this information to map DNS domain names to NetBIOS domain names. This mapping ensures consistent domain/username references in policy rules.To improve availability, use at least two servers for redundancy.The steps are the same as for the LDAP server profile you created for Global Catalogs in the Step 4, except for the following fields:
- LDAP Server—Enter the IP address of the domain controller that contains the domain mapping information.
- Port—For a plaintext or Start TLS connection, usePort389. For an LDAP over SSL connection, usePort636. If the connection will use Start TLS or LDAP over SSL, select theRequire SSL/TLS secured connectioncheck box.
- Base DN—Select the DN of the point in the domain controller where the firewall will start searching for domain mapping information. The value must start with the string:cn=partitions,cn=configuration(for example,cn=partitions,cn=configuration,DC=acbdomain,DC=com).
- Create a group mapping configuration for each LDAP server profile you created.
- Select.DeviceUser IdentificationGroup Mapping Settings
- ClickAddand enter aNameto identify the group mapping configuration.
- Select the LDAPServer Profileand ensure theEnabledcheck box is selected.
- Configure the remaining fields as necessary: see Map Users to Groups.If the Global Catalog and domain mapping servers reference more groups than your security rules require, configure theGroup Include Listand/orCustom Grouplist to limit the groups for which User-ID performs mapping.
Recommended For You
Recommended videos not found.