Dynamic User Groups & Auto-Tagging in PAN-OS

What are Dynamic User Groups (DUGs)?

Dynamic User Groups (DUGs) automatically update their membership based on tags associated with users, rather than a static list of usernames. This enables policies that dynamically adapt to changing conditions like user behavior or potential threats without needing manual updates.

Benefits:

How DUGs Work: Tags as Filters

You define a DUG by specifying tag-based criteria using logical AND / OR operators (negation is not supported). When a user gains a tag (or combination of tags) that matches the DUG's filter, they are automatically added to the group. When the tag(s) are removed or expire, the user is automatically removed from the DUG.

Example: A DUG named `Require-MFA-Group` could be defined with the filter matching the tag `require-mfa`. Any user who gets tagged with `require-mfa` instantly becomes a member of this group.

Diagram: DUG Concept 
graph LR
    subgraph Tag_Sources [Tag Sources]
        API(XML API)
        UIDAgent(User-ID Agent
/AD Monitor)
        AutoTag(Auto-Tagging
/Log Forwarding)
        Manual(Manual/Panorama)
    end

    subgraph User_Identity
        U1[User: Alice
Tags: low-risk]
        U2[User: Bob
Tags: high-risk, require-mfa]
        U3[User: Charlie
Tags: contractor, temp-access]
    end

    subgraph DUG_Definitions [DUG Definitions]
       DUG_Risky("DUG: Risky-Users
Filter: 'high-risk'")
       DUG_MFA("DUG: Require-MFA-Group
Filter: 'require-mfa'")
       DUG_Temp("DUG: Temp-Access
Filter: 'temp-access'")
    end

     subgraph Policy_Enforcement [Policy Enforcement]
        Policy1("Security Policy
Source User: Risky-Users
Action: Deny")
        Policy2("Authentication Policy
Source User: Require-MFA-Group
Action: Enforce MFA")
        Policy3("Security Policy
Source User: Temp-Access
Action: Allow to Specific Apps")
     end

    API --> U2 & U3;
    UIDAgent --> U1;
    AutoTag --> U2;
    Manual --> U3;

    U1 -- No Match --> DUG_Risky;
    U2 -- Match --> DUG_Risky;
    U3 -- No Match --> DUG_Risky;

    U1 -- No Match --> DUG_MFA;
    U2 -- Match --> DUG_MFA;
    U3 -- No Match --> DUG_MFA;

    U1 -- No Match --> DUG_Temp;
    U2 -- No Match --> DUG_Temp;
    U3 -- Match --> DUG_Temp;

    DUG_Risky --> Policy1;
    DUG_MFA --> Policy2;
    DUG_Temp --> Policy3;

    style DUG_Risky fill:#ffc,stroke:#333,stroke-width:1px
    style DUG_MFA fill:#ffc,stroke:#333,stroke-width:1px
    style DUG_Temp fill:#ffc,stroke:#333,stroke-width:1px

Where Do Tags Come From? (Tag Registration)

Tags are metadata labels associated with users (or IP addresses). They can be:

Dynamic tags for users can be registered (associated with a user) via:

Tags dynamically registered on one firewall can be redistributed to other firewalls (often via Panorama hub or direct firewall-to-firewall redistribution) to ensure consistent DUG membership across the network. PAN-OS 9.1 or later is generally required on receiving firewalls for dynamic tag redistribution.

Automating Actions with Auto-Tagging

Auto-tagging is the mechanism that allows the firewall or Panorama to automatically apply or remove tags based on specific criteria found in generated logs. This links observed behavior or events directly to dynamic policy enforcement through DUGs.

Example: MFA Enforcement for Credential Phishing

If a user submits credentials to a site flagged in the URL Filtering log as potentially malicious ( credential-detected eq yes ), auto-tagging can apply a `require-mfa` tag to that user. An Authentication Policy rule using a DUG matching the `require-mfa` tag can then force MFA for that user's subsequent network access attempts, mitigating the risk from the potentially compromised credential.

Diagram: Auto-Tagging Workflow 
sequenceDiagram
    participant User
    participant Firewall
    participant Logger as Log Processing Engine
    participant LogFwd as Log Fwd Profile /
Log Settings
    participant UserTagDB as User-ID / Tag Database
    participant PolicyEngine as Policy Engine

    User->>Firewall: Accesses Risky Site / Event Occurs
    Firewall->>Logger: Generates Log (e.g., Threat, URL)
    Logger->>LogFwd: Log Sent for Processing
    LogFwd->>LogFwd: Evaluate Filter Criteria (e.g., threat ID, URL category)
    alt Log Matches Filter
        LogFwd->>UserTagDB: Execute Built-in Action: Add/Remove Tag for User/IP
        Note over UserTagDB: User/IP tag mapping updated
    end
    Note over Firewall, PolicyEngine: Later Traffic from User/IP...
    Firewall->>PolicyEngine: Evaluate Policy for New Session
    PolicyEngine->>UserTagDB: Check User/IP Tags
    UserTagDB-->>PolicyEngine: Provide Current Tags
    PolicyEngine->>PolicyEngine: Match Policy Rule using DUG/DAG
    PolicyEngine->>Firewall: Apply Policy Action (Allow/Deny/MFA)

Configuration Steps (Simplified)

  1. Define the Tag: Create the tag you want to use ( Objects > Tags ), e.g., `compromised-credential`.
  2. Configure the Trigger (Log Forwarding/Settings):
    • Determine the log type that indicates the event (e.g., URL Filtering log for credential detection).
    • Based on log type, go to Objects > Log Forwarding or Device > Log Settings .
    • Create or edit a profile/setting for that log type.
    • Add a Filter to match the specific event (e.g., `(credential-detected eq yes)`).
    • Add a Built-in Action > Tagging :
      • Target: `Source User` (or Source Address, etc.)
      • Action: `Add Tag`
      • Tags: Select `compromised-credential`
      • Timeout: Set an appropriate duration (e.g., `480` for 8 hours) or `0` for permanent until removed.
      • Registration Source: Choose `Local` or configure HTTP profile for remote sharing.
  3. Create the Dynamic User Group:
    • Go to Objects > Dynamic User Groups , Add.
    • Name: e.g., `Users-Require-MFA`.
    • Match Criteria: Select the tag `compromised-credential`.
  4. Create/Modify Policy using the DUG:
    • Go to Policies > Authentication (or Security, Decryption).
    • Create a rule.
    • In the Source User field, add the DUG `Users-Require-MFA`.
    • Configure the desired Action (e.g., apply an MFA Authentication Profile).
    • Ensure rule placement is logical (often specific rules come before general allow rules).
  5. Assign Log Forwarding Profile (Crucial Link):
    Why is Assigning the Log Forwarding Profile Needed?

    For log types handled by Log Forwarding Profiles (Threat, URL, Traffic, etc.), simply creating the profile isn't enough. The firewall needs to know *which traffic* should have its logs processed by that profile's filters and actions.

    You **must** assign the Log Forwarding Profile you created (the one containing your auto-tagging filter and action) to the specific Security Policy rule(s) that allow the traffic which generates the trigger logs.

    Think of it this way:

    • The Security Rule says: "Let this web traffic through."
    • The attached Log Forwarding Profile says: "And WHILE that traffic is flowing, IF you see a URL log matching 'credential-detected=yes', THEN execute the 'Add Tag' action."

    Without attaching the profile to the Security Rule (under the rule's Actions tab), the firewall allows the traffic and generates the standard logs, but it doesn't perform the extra check defined in the Log Forwarding Profile, so no auto-tagging occurs for these log types.

    (This assignment step is *not* needed for log types configured directly under Device > Log Settings, like User-ID or GlobalProtect logs, as their tagging actions are tied directly to the log generation itself.)

    • If the trigger log (e.g., URL Filtering) is generated by traffic matching a Security Policy rule, assign the Log Forwarding Profile created in Step 2 to that Security Policy rule (under the rule's Actions tab).
  6. Commit all configuration changes.

Best Practices & Verification

Knowledge Check

Question 1:

What is the primary mechanism Dynamic User Groups use to determine membership?

Explanation: Dynamic User Groups use tag-based filters. Users are automatically added or removed based on whether the tags registered against their username match the filter criteria defined in the DUG.

Question 2:

Which two methods allow for *dynamic* registration of tags on users? (Choose two.)

Explanation: Dynamic registration means the tag is applied at runtime. This can be done programmatically via the XML API or automatically by the firewall based on log events using Auto-Tagging features linked to Log Forwarding Profiles or Log Settings. Static configuration is not dynamic.

Question 3:

What is the main purpose of the "Auto-Tagging" feature?

Explanation: Auto-Tagging's core function is to react to specific patterns or events found in various firewall logs (Threat, URL, Traffic, etc.) and automatically assign (or remove) predefined tags to the associated user or IP address, enabling dynamic policy responses.

Question 4:

If you want to trigger auto-tagging based on a URL filtering log event (e.g., credential submission detected), where would you configure the tagging action?

Explanation: For logs like URL Filtering, Threat, Traffic, etc., auto-tagging actions are configured within a Log Forwarding Profile. You define a filter for the specific log criteria and then add a Built-in Action to apply the tag. Device > Log Settings is used for User-ID, GP, and IP-Tag logs.

Question 5:

What happens if you set the "Timeout" value to 0 when configuring an "Add Tag" built-in action for auto-tagging?

Explanation: A timeout value of 0 specifically means that the tag applied via auto-tagging will persist indefinitely until it is explicitly removed via another action (e.g., another log event triggering a "Remove Tag" action) or manually via API/GUI/CLI.

Question 6:

To use a Dynamic User Group named "Quarantined-Users" (based on the tag 'quarantine-tag') in a Security Policy rule to block traffic, what should typically be configured?

Explanation: Dynamic User Groups are primarily used in the Source User field of Security policy rules (or Authentication policy rules) to control access. To block traffic for members of the DUG, you would create a Security rule matching that group and set the action to Deny.

Question 7:

If you need to share dynamically registered tags with a remote User-ID agent (on another firewall), what type of Server Profile must be configured and referenced in the Log Forwarding action?

Explanation: Sharing tags with a remote User-ID agent specifically uses the HTTP protocol. You need to configure an HTTP Server Profile, enable the "Tag Registration" option within it, and provide the connection details for the remote agent. This profile is then selected in the Log Forwarding built-in action.

Question 8:

Which CLI command would you use to see the list of dynamically created user groups?

Explanation: The command `show user group list dynamic` specifically lists the names and potentially counts of members for groups defined as dynamic (tag-based). `show object registered-user all` shows users with *any* registered tags, not the groups themselves.

Question 9:

True or False: When using auto-tagging to add a user to a DUG, you must perform a configuration commit for the user membership to update.

Explanation: Auto-tagging applies tags dynamically at runtime based on log events. Once the initial DUG definition and the auto-tagging Log Forwarding Profile/Log Settings are committed, subsequent tag applications and DUG membership updates happen automatically without needing further commits.

Question 10:

Which two log types require configuration under "Device > Log Settings" rather than a "Log Forwarding Profile" to enable auto-tagging actions? (Choose two.)

Explanation: According to the text, auto-tagging actions for User-ID, GlobalProtect, and IP-Tag logs are configured under Device > Log Settings, while actions for Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs use Log Forwarding Profiles.