1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. User-ID Features
    5. Dynamic User Groups

    Dynamic User Groups

    Dynamic user groups help you to create policy that provides auto-remediation for anomalous user behavior and malicious activity while maintaining user visibility. Previously, quarantining users in response to suspicious activity meant time- and resource-consuming updates for all members of the group or updating the IP address-to-username mapping to a label to enforce policy at the cost of user visibility, as well as having to wait until the firewall checked the traffic. Now, you can configure a dynamic user group to automatically include users as members without having to manually create and commit policy or group changes and still maintain user-to-data correlation at the device level before the firewall even scans the traffic.
    To determine what users to include as members, a dynamic user group uses tags as filtering criteria. As soon as a user matches the filtering criteria, that user becomes a member of the dynamic user group. The tag-based filter uses logical and and or operators. Each tag is a metadata element or attribute-value pair that you register on the source statically or dynamically. Static tags are part of the firewall configuration, while dynamic tags are part of the runtime configuration. As a result, you don’t need to commit updates to dynamic tags if they are already associated with a policy that you have committed on the firewall.
    To dynamically register tags, you can use:
    • the XML API
    • the User-ID agent
    • Panorama
    • the web interface on the firewall
    After you create the group and commit the changes, the firewall registers the users and associated tags then automatically updates the dynamic user group’s membership. Because updates to dynamic user group membership are automatic, using dynamic user groups instead of static group objects allows you to respond to changes in user behavior or potential threats without manual policy changes.
    The firewall redistributes the tags for the dynamic user group to the listening redistribution agents, which includes other firewalls, Panorama, or a Dedicated Log Collector, as well as Cortex applications.
    To support redistribution for dynamic user group tags, all firewalls must use PAN-OS 9.1 to receive the tags from the registration sources.
    The firewall redistributes the tags for the dynamic user group to the next hop and you can configure log forwarding to send the logs to a specific server. Log forwarding also allows you to use auto-tagging to automatically add or remove members of dynamic user groups based on events in the logs.
    Because the dynamic user group itself is static, but the group’s membership is dynamic, this allows flexibility with policy creation. For example, if you want the members of the group to return to their original groups after a specific duration of time, configure a timeout for the group. It also allows you to implement information about user behavior from other applications by tagging information from these sources, which updates the dynamic user group membership.
    The following example demonstrates how to configure a dynamic user group to deny traffic to users when the firewall detects traffic to questionable sites and use the dynamic user group in a policy to automatically deny traffic to users accessing these sites. The example workflow shows how to configure a dynamic user group that includes users based on their questionable activity and enforce a Security policy for those users that denies access, regardless of the user’s device or location, so that when user behavior matches the tags you specify, the firewall adds the user to the dynamic user group and applies the associated policy to deny access.
    1. Select
      Objects
      Dynamic User Groups
       and
      Add
       a new dynamic user group.
    2. Define the membership of the dynamic user group.
      Create dynamic tags to specify the criteria for members of the dynamic user group. When a user matches the criteria, the firewall adds the user to the group.
      1. Enter a
        Name
         for the group.
      2. (
        Optional
        ) Enter a
        Description
         for the group.
      3. (
        Panorama only
        ) To share the match criteria of the dynamic user group with all device groups on Panorama, enable
        Shared
         dynamic user groups.
        When you enable this option, the
        Location
         column displays whether the match criteria for the dynamic user group is available to every device group on Panorama (
        Shared
        ) or to the selected device group.
        When you enable this option, Panorama shares the match criteria of the dynamic user group; Panorama does not share the group members.
      4. (
        Panorama only
        ) To prevent administrators from overriding the settings of this dynamic user group in device groups that inherit the object, enable the
        Disable override
         option.
      5. Add Match Criteria
         using dynamic tags to define the members in the dynamic user group.
        For this example, enter
        questionable-activity
        .
      6. (
        Optional
        ) Use the
        And
         or
        Or
         operators with the tags that you want to use to filter for or match against.
      7. Click
        OK
        .
      8. (
        Optional
        ) Select the
        Tags
         you want to assign to the group itself.
        This tag displays in the
        Tags
         column in the
        Dynamic User Group
         list and defines the dynamic group object, not the members in the group.
      9. Click
        OK
         and
        Commit
         your changes.
        If you update the user group object filter, you must commit the changes to update the configuration.
    3. Depending on the log information that you want to use as match criteria, create a log forwarding profile or configure the log settings.
      • For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile. This performs the user-to-tag mapping at the device level so that the firewall applies the policy before the firewall detects the traffic.
        1. Select
          Objects
          Log Forwarding
           and
          Add
           a log forwarding profile.
        2. Enter a
          Name
           for the log forwarding profile then
          Add
           the
          Built-in Actions
           you want the firewall to take.
        3. Select
          User
           as the
          Target
          .
        4. (
          Optional
          ) To return dynamic user group members to their original groups after a specific duration of time, enter a
          Timeout
           value in minutes (default is 0, range is 0-43200).
        5. Specify the
          Tags
           that define the criteria for the members of the dynamic user group. For this example, enter
          questionable-activity
          .
      • For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings. This performs the user-to-tag mapping at the traffic level so that the firewall applies the policy when it detects the user’s traffic.
        1. Select
          Device
          Log Settings
          .
        2. Select the type of log that contains the information you want to use for the match criteria and
          Add
           it.
        3. Enter a
          Name
           and
          Add
           your
          Built-in actions
          .
        4. Enter a
          Name
           for each action and select
          User
           as the
          Target
           for each action.
        5. Select the
          Registration
           source.
        6. (
          Optional
          ) To return dynamic user group members to their original groups after a specific duration of time, enter a
          Timeout
           value in minutes (default is 0, range is 0-43200).
        7. Specify the
          Tags
           that define the criteria for the members of the dynamic user group. For this example, enter
          questionable-activity
          .
    4. Use the dynamic user group in a policy to regulate traffic for the members of the group.
      You will need to configure at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent (in this case,
      questionable-activity
      ). To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic.
      1. Select
        Policies
        Security
        .
      2. Click
        Add
         and enter a
        Name
         and optionally add the
        Tags
         the policy uses.
      3. Add the
        Source Zone
         to specify the zone where the traffic originates.
      4. For the
        Source User
        , select the dynamic user group from Step 1.
      5. Add the
        Destination Zone
         where the traffic terminates.
      6. Select the
        Service/URL Category
         for the type of traffic you want to prevent.
        For this example, select
        questionable
         for the rule that denies the traffic.
      7. Specify the
        Action
        .
        For the rule that denies traffic to the dynamic user group members, select
        Deny
        .
      8. Clone
         this rule and
        Delete
         the
        questionable
        Service/URL Category
        , then select
        Allow
         as the
        Action
         to create the rule that allows the traffic to populate the dynamic user group members.
      9. If you configured a
        Log Forwarding
         profile in Step 3, select it to add it to the policy.
      10. Commit
         your changes.
    5. (
      Optional
      ) Refine the group’s membership and define the registration source for the user-to-tag mapping updates.
      If the initial user-to-tag mapping retrieves users who should not be members or if it does not include users who should be, modify the members of the group to include the users for whom you want to enforce the policy and specify the source for the mappings.
      1. In the
        Users
         column, select
        more
        .
      2. Register Users
         to add them to the group and select the
        Registration Source
         for the tags and user-to-tag mappings.
        • Local
           (Default)—Register the tags and mappings for the dynamic user group members locally on the firewall.
        • Panorama User-ID Agent
          —Register the tags and mappings for the dynamic user group members on a User-ID agent connected to Panorama. If the dynamic user group originates from Panorama, the row displays in yellow and the group name, description, match criteria, and tags are read-only. However, you can still register or unregister users from the group.
        • Remote device User-ID Agent
          —Register the tags and mappings for the dynamic user group members on a remote User-ID agent. To select this option, you must first configure an HTTP server profile.
      3. Select the
        Tags
         you want to register on the source using the tags you used to configure the group.
      4. (
        Optional
        ) To return dynamic user group members to their original groups after a specific duration of time, enter a
        Timeout
         value in minutes (default is 0, range is 0-43200).
      5. Add
         or
        Delete
         users as necessary.
      6. (
        Optional
        )
        Unregister Users
         to remove their tags and user-to-tag mappings.
    6. Verify the firewall correctly populates the users in the dynamic user group.
      1. Confirm the
        Dynamic User Group
         column in the Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Tunnel Inspection logs displays the dynamic user groups correctly.
      2. Use the
        show user group list dynamic
         command to display a list of all dynamic user groups as well as the total number of dynamic user groups.
      3. Use the
        show object registered-user all
         command to display a list of users who are registered members of dynamic user groups.
      4. Use the
        show user group name
        group-name
         command to display information about the dynamic user group, such as the source type.
    7. Monitor the users in your dynamic user groups to track user activity.
      1. In the Application Command Center (ACC), create a global or local filter to track the dynamic user group (
        Add
        User
        Dynamic User Group
        ).
      2. Generate user activity reports for members of dynamic user groups (
        Monitor
        PDF Reports
        User Activity Report
        ) to determine if more malicious activity occurs.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo