Palo Alto Networks Knowledgebase: How to Add Groups or Users to Security Policy

How to Add Groups or Users to Security Policy

22899
Created On 09/02/19 20:24 PM - Last Updated 09/02/19 22:32 PM
Group Mapping Security Policy Policy User-ID 8.1 8.0 7.1 9.0 PAN-OS
Resolution
  1. Configure LDAP sever profile on the device.

  2. Verify the device can pull the group information by running the command:

    > show user group list

    which populates all the groups the device is pulling from the AD server.

  3. To configure User-ID agent settings on the device.  Go to Device > User Identification > Group Mapping Settings

    1. Click Add at the bottom. 

    2. Select the LDAP Server Profile

    3. Optional Add User Domain (NETBIOS Domain Name) from Windows AD.  

    4. Then go to Group Include List Tab and Under Available Group either Search or Browse to the security group, highlight and click plus sign to add the group (recommended to add group include list in a large AD environment due to idmgr limit).  

  4. Verify user-to-IP mapping is correct. Run the command:

    > show user ip-user-mapping all

    This populates all users the device is pulling from the User-ID-Agent.

  5. Go to Policies > Security.

  6. Click Add for a new policy or click an existing policy to add the groups.

  7. Under the Policy > User > Source User, click Add. The drop down populates available groups.

  8. Configure the security policy with the groups to be restricted.

User-added image

  1. Additionally security policies can be configured with users to be restricted. You need to manually type the username of the user, and the user will auto populate. Drop down will not populate Users, as it only auto populates User Groups. 
User-added image

     



    Attachments
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Attachments
    Choose Language