Use Dynamic User Groups in Policy

Learn how to configure dynamic user groups and use them for policy enforcement.
Dynamic user groups help you to create policy that provides auto-remediation for anomalous user behavior and malicious activity while maintaining user visibility. After you create the group and commit the changes, the firewall registers the users and associated tags then automatically updates the dynamic user group’s membership. Because updates to dynamic user group membership are automatic, using dynamic user groups instead of static group objects allows you to respond to changes in user behavior or potential threats without manual policy changes.
To determine what users to include as members, a dynamic user group uses tags as filtering criteria. As soon as a user matches the filtering criteria, that user becomes a member of the dynamic user group. The tag-based filter uses logical
and
and
or
operators. Each tag is a metadata element or attribute-value pair that you register on the source statically or dynamically. Static tags are part of the firewall configuration, while dynamic tags are part of the runtime configuration. As a result, you don’t need to commit updates to dynamic tags if they are already associated with a policy that you have committed on the firewall
To dynamically register tags, you can use:
  • the XML API
  • the User-ID agent
  • Panorama
  • the web interface on the firewall
The firewall redistributes the tags for the dynamic user group to the listening redistribution agents, which includes other firewalls, Panorama, or a Dedicated Log Collector, as well as Cortex applications.
To support redistribution for dynamic user group tags, all firewalls must use PAN-OS 9.1 to receive the tags from the registration sources.
The firewall redistributes the tags for the dynamic user group to the next hop and you can configure log forwarding to send the logs to a specific server. Log forwarding also allows you to use auto-tagging to automatically add or remove members of dynamic user groups based on events in the logs.
  1. Select
    Objects
    Dynamic User Groups
    and
    Add
    a new dynamic user group.
  2. Define the membership of the dynamic user group.
    1. Enter a
      Name
      for the group.
    2. (
      Optional
      ) Enter a
      Description
      for the group.
    3. Add Match Criteria
      using dynamic tags to define the members in the dynamic user group.
    4. (
      Optional
      ) Use the
      And
      or
      Or
      operators with the tag(s) that you want to use to filter for or match against.
    5. Click
      OK
      .
    6. (
      Optional
      ) Select the
      Tags
      you want to assign to the group itself.
      This tag displays in the
      Tags
      column in the
      Dynamic User Group
      list and defines the dynamic group object, not the members in the group.
    7. Click
      OK
      and
      Commit
      your changes.
      If you update the user group object filter, you must commit the changes to update the configuration.
  3. Depending on the log information that you want to use as match criteria, configure auto-tagging by creating a log forwarding profile or configuring the log settings.
    • For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile.
    • For User-ID, HIP Match, GlobalProtect, and IP-Tag logs, configure the log settings.
  4. (
    Optional
    ) To return dynamic user group members to their original groups after a specific duration of time, enter a
    Timeout
    value in minutes (default is 0, range is 0-43200).
  5. Use the dynamic user group in a policy to regulate traffic for the members of the group.
    You will need to create at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent. To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic.
    1. Select the dynamic user group from Step 1 as the
      Source User
      .
    2. Create the rule where the
      Action
      denies traffic to the dynamic user group members.
    3. Create the rule that allows the traffic to populate the dynamic user group members.
    4. If you configured a
      Log Forwarding
      profile in Step 3, select it to add it to the policy.
    5. Commit
      your changes.
  6. (
    Optional
    ) Refine the group’s membership and define the registration source for the user-to-tag mapping updates.
    If the initial user-to-tag mapping retrieves users who should not be members or if it does not include users who should be, modify the members of the group to include the users for whom you want to enforce the policy and specify the source for the mappings.
    1. In the
      Users
      column, select
      more
      .
    2. Register Users
      to add them to the group and select the
      Registration Source
      for the tags and user-to-tag mappings.
      • Local
        (Default)—Register the tags and mappings for the dynamic user group members locally on the firewall.
      • Panorama User-ID Agent
        —Register the tags and mappings for the dynamic user group members on a User-ID agent connected to Panorama. If the dynamic user group originates from Panorama, the row displays in yellow and the group name, description, match criteria, and tags are read-only. However, you can still register or unregister users from the group.
      • Remote device User-ID Agent
        —Register the tags and mappings for the dynamic user group members on a remote User-ID agent. To select this option, you must first configure an HTTP server profile.
    3. Select the
      Tags
      you want to register on the source using the tag(s) you used to configure the group.
    4. (
      Optional
      ) To return dynamic user group members to their original groups after a specific duration of time, enter a
      Timeout
      value in minutes (default is 0, range is 0-43200).
    5. Add
      or
      Delete
      users as necessary.
    6. (
      Optional
      )
      Unregister Users
      to remove their tags and user-to-tag mappings.
  7. Verify the firewall correctly populates the users in the dynamic user group.
    1. Confirm the
      Dynamic User Group
      column in the Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Tunnel Inspection logs displays the dynamic user groups correctly.
    2. Use the
      show user group list dynamic
      command to display a list of all dynamic user groups as well as the total number of dynamic user groups.
    3. Use the
      show object registered-user all
      command to display a list of users who are registered members of dynamic user groups.
    4. Use the
      show user group name
      group-name
      command to display information about the dynamic user group, such as the source type.

Recommended For You