Device > User Identification > Group Mapping Settings
To base security policies on user or group, the firewall must retrieve the list of groups and the corresponding list of members from your directory servers. The firewall supports a variety of LDAP directory servers, including Microsoft Active Directory (AD), Novell eDirectory, and Sun ONE Directory Server.
Before creating a group mapping configuration, you must configure an LDAP server profile (see Device > Server Profiles > LDAP). The complete procedure to map usernames to groups requires additional tasks.
Add a group mapping configuration for each LDAP server in your network. To remove a group mapping configuration, select it and click Delete. If you want to disable a group mapping configuration without deleting it, edit the configuration and clear the Enabled selection. When adding a group mapping configuration, complete the following fields.
Group Mapping Setting—Server Profile Configured In Description
Name Device > User Identification > Group Mapping Settings Enter a name to identify the group mapping configuration (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Server Profile Device > User Identification > Group Mapping Settings > Server Profile Select the LDAP server profile to use for group mapping on this firewall.
Update Interval Specify the interval in seconds after which the firewall will initiate a connection with the LDAP directory server to obtain any updates that were made to the groups that firewall policies use (range is 60–86400).
User Domain By default, the User Domain field is blank and the firewall automatically detects the domain names for Active Directory servers. If you enter a value, it overrides any domain names that the firewall retrieves from the LDAP source. Your entry must be the NetBIOS name. This field only affects the usernames and group names retrieved from the LDAP source. For user authentication, to override the domain associated with a username, configure the User Domain and Username Modifier fields in the authentication profile that you assign to that user (see Device > Authentication Profile).
Group Objects Search Filter —Enter an LDAP query that specifies which groups to retrieve and track. Object Class —Enter a group definition. The default is objectClass=group, which specifies that the system retrieves all objects in the directory that match the group Search Filter and have objectClass=group. Group Name —Enter the attribute that specifies the group name. For example, in Active Directory, this attribute is “CN” (Common Name). Group Member —Enter the attribute that contains the group members. For example in Active Directory, this attribute is “member.”
User Objects Search Filter —Enter an LDAP query that specifies which users to retrieve and track. Object Class —Enter a user object definition. For example in Active Directory, the objectClass is “user.” User Name —Enter the attribute for the username. For example, in Active Directory, the default username attribute is “samAccountName.”
Mail Domains When the firewall receives a WildFire™ log for a malicious email, the email recipient information in the log is matched with the user mapping information that the User-ID agent collects. The log contains a link to the user that, when clicked, displays the ACC filtered by the user. If the email is sent to a distribution list, the ACC is filtered by the members contained in the list. The email header and user mapping information will help you quickly track and thwart threats that arrive through email by making it easier to identify the users who received the email. Mail Attributes —PAN-OS automatically populates this field based on the LDAP server type (Sun ONE, Active Directory, or Novell). Domain List —Enter the email domains in your organization as a comma separated list of up to 256 characters.
Enabled Select this option to enable server profile for group mapping.
Available Groups Device > User Identification > Group Mapping Settings > Group Include List Use these fields to limit the number of groups that the firewall displays when you create a security rule. Browse the LDAP tree to find the groups you want to use in rules. To include a group, select it in the Available Groups list and Add ( ) it. To remove a group from the list, select it in the Included Groups list and Delete ( ) it. The maximum number of groups you can add in the Group Include List tab and Custom Group tab combined is 640 per virtual system.
Included Groups
Name Device > User Identification > Group Mapping Settings > Custom Group Use these fields to create custom groups based on LDAP filters so that you can base firewall policies on user attributes that don’t match existing user groups in the LDAP directory. The User-ID service maps all the LDAP directory users who match the filter to the custom group. If you create a custom group with the same Distinguished Name (DN) as an existing Active Directory group domain name, the firewall uses the custom group in all references to that name (for example, in policies and logs). To create a custom group, click Add and configure the following fields: Name —Enter a custom group name that is unique in the group mapping configuration for the current firewall or virtual system. LDAP Filter —Enter a filter of up to 2,048 characters. To expedite LDAP searches and minimize the performance impact on the LDAP directory server, it is a best practice to use only indexed attributes in the filter. The firewall does not validate LDAP filters. To delete a custom group, select it and click Delete. To make a copy of a custom group, select it, click Clone and edit the fields as necessary. The maximum number of groups you can add in the Group Include List tab and Custom Group tab combined is 640 per virtual system. After creating or cloning a custom group, you must perform a commit for it to be available in policies and objects.
LDAP Filter

Related Documentation