Group mapping in Palo Alto Networks' PAN-OS allows administrators to define security policies based on user group memberships rather than individual users. This approach simplifies policy management, especially in dynamic environments where users frequently join or leave groups.
Group Mapping Methods
1. LDAP-Based Group Mapping
The firewall connects to an LDAP directory (e.g., Active Directory) to retrieve user and group information. This method involves:
Creating an LDAP server profile.
Configuring group mapping settings to specify which groups to include.
Defining user and group attributes for identification.
sequenceDiagram
participant Firewall
participant LDAP
Firewall->>LDAP: Bind and Authenticate
Firewall->>LDAP: Query for Groups
LDAP-->>Firewall: Return Group Information
Firewall->>LDAP: Query for Users
LDAP-->>Firewall: Return User Information
2. Custom Group Mapping
Custom groups are defined using LDAP filters without requiring changes on the LDAP server. This method is useful when:
Specific groupings are needed that don't exist in LDAP.
Temporary groupings are required for specific policies.
3. Cloud Identity Engine (CIE)
The Cloud Identity Engine allows integration with cloud-based directories like Azure AD, Okta, and Google Workspace. Benefits include:
Centralized identity management across cloud platforms.
Seamless integration with PAN-OS for user and group information.
sequenceDiagram
participant Firewall
participant CIE
participant CloudDirectory
Firewall->>CIE: Request User/Group Info
CIE->>CloudDirectory: Fetch Data
CloudDirectory-->>CIE: Return Data
CIE-->>Firewall: Provide User/Group Info
Configuration Steps
A. LDAP Server Profile
Navigate to
Device > Server Profiles > LDAP
.
Click
Add
and configure:
Name
: Unique identifier for the profile.
Server List
: Add LDAP servers (up to 4 for redundancy).
Type
: Choose the directory type (e.g., Active Directory).
Base DN
: Starting point in the directory for searches.
Bind DN
and
Password
: Credentials for authentication.
B. Group Mapping Settings
Navigate to
Device > User Identification > Group Mapping Settings
.
Click
Add
and configure:
Name
: Unique identifier for the mapping.
Server Profile
: Select the LDAP profile created earlier.
Update Interval
: Frequency of updates from the directory.
User Domain
: Specify if overriding the domain name.
Group Include List
: Select groups to include in policies.
C. User and Group Attributes
Define attributes to identify users and groups:
User Attributes
:
Primary Username
: e.g.,
sAMAccountName
.
Alternate Usernames
: e.g.,
userPrincipalName
,
mail
.
Group Attributes
:
Group Name
: e.g.,
cn
.
Group Member
: e.g.,
member
.
User-ID Best Practices for Group Mapping
Defining policy rules based on user group membership simplifies administration, as it eliminates the need to update rules whenever group membership changes. The following best practices are recommended for configuring group mapping in LDAP deployments using Palo Alto Networks firewalls:
Plan Your Deployment:
Identify your directory service (e.g., on-premises Active Directory, cloud-based Azure Active Directory, or LDAP-based services like OpenLDAP) and understand the topology of your directory servers. Consider factors such as the number of directory servers, their locations, and whether they are on-premises or cloud-based.
Single Domain Deployments:
If you have a single domain, configure one group mapping with an LDAP server profile that connects the firewall to the domain controller with the best connectivity. Add up to four domain controllers to the LDAP server profile for redundancy.
Universal Groups:
For deployments using Universal Groups, create an LDAP server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL. Additionally, create another LDAP server profile to connect to the root domain controllers using LDAPS on port 636. If TLS is not used, port 389 can be used. This ensures that user and group information is available for all domains and subdomains.
Multiple Domains or Forests:
If you do not have Universal Groups and have multiple domains or forests, create a group mapping configuration with an LDAP server profile that connects the firewall to a domain server in each domain or forest. Ensure that usernames are unique across separate forests.
Custom Groups:
To create a custom group not available in your LDAP Directory, use user attributes to define custom groups.
Primary Username Format:
Determine the format (e.g., email address, UPN, or sAMAccountName) to use for the Primary Username. This attribute identifies users in user-based security policy rules, logs, and reports. If User-ID sources send usernames in different formats, specify those usernames as alternative attributes.
Unique Attributes:
Ensure that the primary username, alternative username, and email attributes are unique for each user. Also, ensure that usernames and group attributes are unique for all users and groups within each domain.
Avoid Overlapping Groups:
If creating multiple group mapping configurations using the same base distinguished name (DN) or LDAP server, ensure that the configurations do not contain overlapping groups. For example, the Include list for one group mapping configuration should not contain a group that is also in a different group mapping configuration.
Retrieve Necessary Groups Only:
Retrieve only the groups needed for your group-based security policy and configuration by using the group include list or applying a custom search filter.
Update Interval:
Evaluate how frequently groups change in your directories to determine the optimal Update Interval value for your Group Mapping profile. If groups change frequently, configure a smaller value; if they are usually static, enter a larger value.
Cloud Identity Engine:
To access on-premises or cloud-based directory information for user identification and security policy enforcement, use the Cloud Identity Engine to simplify the retrieval of group mapping information from multiple sources, especially cloud-based directories.
Virtual System Hub:
If using the same groups across virtual systems in your security policy, configure a virtual system as a hub to share group mappings across virtual systems. This allows one virtual system to provide the mappings to the other systems, maximizing the number of available mappings.
Group Include List:
Use the Group Include List to limit policy rules to specific groups. Alternatively, filter the groups that the firewall tracks for group mapping by entering a Search Filter (LDAP query) and Object Class (group definition). If a group is not readily available in your LDAP Directory, use user attributes to create custom groups on the firewall. Ensure that attributes used to form custom groups are indexed attributes on the directory.
Custom Groups Only:
If using only custom groups from a directory, add an unused group to the Include List to prevent User-ID from retrieving all the groups from the directory.
Post-Deployment Verification:
To confirm connectivity to the LDAP server, use the
show user group-mapping state all
CLI command. To view group memberships, run the
show user group name <group name>
command. Ensure that users needing policy-based access belong to the group assigned to the policy. To verify which groups can currently be used in policy rules, use the
show user group
CLI command. If changes are made to group mapping, refresh the cache manually by running the
debug user-id refresh group-mapping all
command.
sequenceDiagram
participant Firewall
participant LDAP
participant Admin
Admin->>Firewall: Configure Group Mapping
Firewall->>LDAP: Query for Groups
LDAP-->>Firewall: Return Group Data
Firewall->>Admin: Display Mapped Groups
Configuring a Master Device in Panorama for User and Group Mapping
To enable Panorama to collect user and group mapping information for use in security policies, designate a managed firewall as a Master Device. This configuration allows Panorama to retrieve group mappings from the Master Device, facilitating the creation of user- and group-based policies.
Steps to Configure a Master Device:
Enable Group Mapping on the Firewall:
On the firewall intended to be the Master Device, configure group mapping settings to connect to your directory services (e.g., Active Directory) using an LDAP server profile.
Designate the Master Device in Panorama:
In Panorama, navigate to
Panorama > Device Groups
.
Select the appropriate device group and click
Edit
.
Under the
General
tab, select the firewall to act as the Master Device.
Enable the option
"Store users and groups from the master device if reporting and filtering of groups is enabled in Panorama settings"
.
Enable Reporting and Filtering on Groups:
Navigate to
Panorama > Setup > Management
.
In the
Panorama Settings
section, click
Edit
.
Enable the option
"Enable reporting and filtering on groups"
.
Commit the Configuration:
After completing the above steps, commit the changes to Panorama to apply the configuration.
Once configured, Panorama will retrieve user and group information from the designated Master Device, allowing administrators to select users and groups when creating security policy rules.
Note:
Only one Master Device can be assigned per device group. If the Master Device becomes unavailable, Panorama will retain the last known user and group information until the Master Device is restored or replaced.
sequenceDiagram
participant LDAP as LDAP Server
participant MasterFW as Master Firewall
participant Panorama as Panorama
Note over MasterFW,LDAP: Initial Setup
MasterFW->>LDAP: Retrieve user and group mappings
Note over Panorama,MasterFW: Configuration
Panorama->>MasterFW: Designate as Master Device
Panorama->>Panorama: Enable reporting and filtering on groups
Note over Panorama,MasterFW: Data Retrieval
MasterFW-->>Panorama: Provide user and group mapping data
Note over Panorama: Policy Creation
Panorama->>Panorama: Populate group names in policy rule drop-downs