How to Add Groups or Users to Security Policy

How to Add Groups or Users to Security Policy

155137
Created On 09/25/18 19:24 PM - Last Modified 01/08/25 11:28 AM


Environment


  • NFGW
  • Supported PAN-OS versions
  • Group Mapping


Resolution


  1. Configure LDAP sever profile on the device.

  2. To configure Group Mapping on the device. Go to Device > User Identification > Group Mapping Settings

    1. Click Add at the bottom. 

    2. Select the LDAP Server Profile

    3. Optional Add User Domain (NETBIOS Domain Name) from Windows AD.  

    4. Then go to Group Include List Tab and Under Available Group either Search or Browse to the security group, highlight and click plus sign to add the group (recommended to add group include list in a large AD environment due to idmgr limit).  

  3. Verify the device can pull the group information by running the command:

    > show user group list

    which populates all the groups the device is pulling from the AD server.

  4. Go to Policies > Security.

  5. Click Add for a new policy or click an existing policy to add the groups.

  6. Under the Policy > User > Source User, click Add. The drop down populates available groups.

  7. Configure the security policy with the groups to be restricted.

User-added image

  1. Additionally security policies can be configured with users to be restricted. You need to manually type the username of the user, and the user will auto populate. Drop down will not populate Users, as it only auto populates User Groups. 
User-added image

     



    Additional Information




    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language