PAN-OS: Requirements for Dynamic User Groups (DUGs)

Introduction

Dynamic User Groups (DUGs) in PAN-OS allow for powerful, context-aware policy enforcement by grouping users based on dynamic tags rather than static directory membership. However, for DUGs to function correctly, several underlying components and configurations must be in place. Understanding these requirements is crucial for successful implementation.

1. Functional User-ID Implementation

Absolute Prerequisite: DUGs operate on tags associated with IP-to-User mappings . Therefore, a working User-ID configuration that successfully maps IP addresses to usernames is the absolute foundation.
Mapping Sources: At least one reliable User-ID mapping method must be active (e.g., Server Monitoring, GlobalProtect, Captive Portal, API, Syslog) to populate the mapping table.
Group Mapping (Optional but Recommended): While DUGs don't directly use static groups for membership, having Group Mapping configured is often necessary to combine DUGs with static group information in policies (e.g., Policy requires user in 'Sales' static group AND in 'Compliant-Device' DUG).

2. A Source for Tag Information

The "dynamic" aspect of DUGs comes from the tags applied to user mappings. You need a mechanism to generate and assign these tags:

GlobalProtect Host Information Profile (HIP) Checks:
- Requirement: GlobalProtect Portal/Gateway deployed, HIP Objects and HIP Profiles configured ( Objects > GlobalProtect ), and HIP data collection enabled in the GP Agent configurations.
- Mechanism: The firewall automatically evaluates HIP reports against HIP Profiles and can be configured (within the HIP Profile or HIP Object) to register specific tags on the User-ID mapping based on match/mismatch results (e.g., tag `Compliant-Device` if matching `HIP-Profile-Compliant`, tag `AV-Missing` if matching `HIP-Object-AV-Not-Running`).
- This is the most common built-in method for populating device posture tags for DUGs.
User-ID XML API / REST API:
- Requirement: An external system (NAC, SOAR, TIP, custom script) capable of making API calls to the PAN-OS firewall or Panorama. API access must be enabled and secured (API key).
- Mechanism: The external system sends API requests to register or unregister specific tags for given IP addresses or usernames.
- Example: A NAC solution detects a non-compliant device via its own checks and uses the API to tag the corresponding IP/user mapping on the firewall with `NAC-NonCompliant`.
VM Information Sources (Panorama/VMware Integration):
- Requirement: Integration configured between Panorama and VMware vCenter or NSX ( Panorama > Cloud Services > Configuration ).
- Mechanism: Panorama retrieves VM attributes (like VM name, OS, custom VMware tags) and can correlate these with IP addresses learned via VM-Monitoring. These attributes can be used to dynamically register tags on the corresponding IP mappings.
- Use Case: Creating DUGs based on VM characteristics in virtualized environments.
Cloud Identity Engine (CIE):
- Requirement: Subscription and configuration of the Cloud Identity Engine.
- Mechanism: CIE gathers attributes from various cloud and on-premise sources (like Azure AD conditional access status). These attributes can potentially be used as tags (check specific CIE documentation for current capabilities).

3. Dynamic User Group Object Configuration

Requirement: Define the DUG itself.
Location: Objects > Dynamic User Groups
Configuration:
- Give the DUG a unique Name (this name is used in policies).
- Define the Match Criteria by specifying one or more tags.
- Use AND/OR logic if matching multiple tags (e.g., 'Include users matching ALL specified tags' (AND) or 'Include users matching ANY specified tag' (OR)).
Example: A DUG named `DUG-Secure-Finance` might require tags `Compliant-Device` AND `Finance-Group-Member` (assuming 'Finance-Group-Member' tag is pushed via API based on AD group).

4. Policy Rule Configuration

Requirement: Utilize the defined DUG in relevant policies.
Location: Policies > Security (or QoS, Decryption, Authentication)
Configuration: In the Source User field of the policy rule, select the name of the Dynamic User Group object created previously.
Behavior: The policy rule will match traffic if the source user's current IP-to-User mapping has the tag(s) required for membership in the selected DUG.

5. Network Connectivity and Firewall Rules

Requirement: Ensure communication paths are open for the tag sources.
Examples:
- If using HIP checks, clients must be able to reach the GP Portal/Gateway.
- If using the API, the external system needs network access to the firewall/Panorama management interface (or specified API listener) on the API port (typically TCP/443). Firewall rules must permit this.
- If using VM Information Sources, Panorama needs connectivity to vCenter/NSX.

Component/Feature	Requirement Summary	Primary Configuration Area
Base User-ID	Functional IP-to-User mapping from any standard source (Server Mon, GP, CP, API, Syslog etc.).	`Device > User Identification`
Tag Source (Choose at least one)	A mechanism to associate tags with IP/User mappings.	- `Objects > GlobalProtect` (HIP) - API Configuration (External System) - `Panorama > Cloud Services` (VM Info) - Cloud Identity Engine Config
Dynamic User Group Object	Definition of the group based on matching specific tags.	`Objects > Dynamic User Groups`
Policy Utilising DUG	Security, QoS, Decryption, or Authentication rules referencing the DUG name.	`Policies > [Policy Type]` (Source User field)
Network Connectivity	Allow communication between tag sources, firewall/Panorama, and clients as needed.	Firewall Rules, Routing, Interface Config
(Optional) Group Mapping	Needed if combining DUG context with static group membership in policies.	`Device > User Identification > Group Mapping Settings`

For the PCNSE exam, understand these requirements for DUGs:

DUGs depend on a working User-ID mapping foundation .
DUGs require a source to assign tags to user mappings (HIP is a key built-in source, API is key for external integration).
You must configure the DUG object itself, defining the tag match criteria.
DUGs are used within the Source User field of various policy types.
Underlying network connectivity for tag sources is essential.

References for Using Dynamic User Groups (DUG) with User-ID Mappings

Policy Object: Dynamic User Groups – Official documentation detailing the configuration and use of Dynamic User Groups in Palo Alto Networks firewalls.
User-ID Best Practices for Dynamic User Groups – Best practices for planning, deploying, and maintaining Dynamic User Groups with User-ID.
Use Dynamic User Groups in Policy – Guidance on integrating Dynamic User Groups into security policies for automated user-based access control.
Apply User-ID Mapping and Populate Dynamic Groups (API) – Instructions on using the XML API to apply User-ID mappings and populate dynamic groups.
User-ID Best Practices for Redistribution – Strategies for redistributing User-ID information, including dynamic user group tags, across multiple firewalls.

PAN-OS: Requirements to Support Dynamic User Groups (DUGs)