The Palo Alto Networks firewall can retrieve user-to-group mapping information from an LDAP server, such as, Active Directory or eDirectory. The data can be retrieved through LDAP queries from the firewall (via agent-less User-ID, introduced in PAN-OS 5.0) or by a User-ID Agent that is configured to proxy the firewall LDAP queries. This document describes how to configure Group Mapping on a Palo Alto Networks firewall.
Configure how groups and users are retrieved from the LDAP directory by creating a new group mapping entry by navigating to the Device > User Identification > Group Mapping Settings tab and click 'Add'. Refer to screenshot below.
Enter a Name. For Palo Alto Networks that support multiple virtual system, a drop-down list (Location) will be available to select from.
Specify the LDAP server profile (configured in step 1) in the drop-down list under the Server Profile tab. Note: All Attributes and ObjectClasses will be populated based on the directory server type you selected in the “LDAP Server Profile”.
The default update interval for user groups changes is 3600 seconds (1 hour). Enter a value to specify a custom interval.
Go to the Group Include List tab. Leave the include list blank if you want to include ALL groups, or select the groups to be included from the left column that should be mapped.
CLI commands to check the groups retrieved and connection to the LDAP server:
> show user group-mapping state all
> show user group list
> show user group name <group name>
Note: When multiple group-mappings are configured with same base dn or ldap server, each group-mapping must include non-overlapping groups i.e include group list must not have any common group.