Configuration Articles

Featured Article
Understanding Custom groups in LDAP Group Mapping Use a Custom Group subtab to create custom groups based on LDAP filters so that you can base firewall policies on user attributes that don’t match existing user groups in an LDAP-based service such as Active Directory (AD). User-ID maps all the LDAP directory users who match the filter to the custom group. If you create a custom group with the same Distinguished Name (DN) as an existing AD group domain name, the firewall uses the custom group in all references to that name.       Let's consider we have two groups in AD and some users in that group.   admin@PA-VM> show user group list      cn=Group1,cn=users,dc=domain,dc=com      cn=Group2,cn=users,dc=domain,dc=com   The above groups are already created in AD. We are now creating custom groups on the Palo Alto Networks based on user attributes.       Here User1 + User2 + User10 + USER20 belong to IT department, User3 + User4 + User30 + USER40 belong to Finance department Now we can create two separate groups using user attributes.   You can see a list of attributes in the Attribute Editor tab:     Or, check out this link to see an alphabetical list of user attributes. http://www.selfadsi.org/user-attributes.htm   The total number of groups you can add to a group mapping configuration—across the Custom Group subtab and “Group Include List Subtab”—is 640 per virtual system (vsys).   To create a custom group, click Add, enter a group Name (it must be unique in the group mapping configuration for the current firewall/vsys), specify an LDAP Filter of up to 2,048 characters, then click OK.     After creating or cloning a custom group, you must perform a commit before the group becomes available for use in policies and objects.   For example, now we will create a Rule allowing only Finance users.   Confirm that the new group exists and contains the expected members. admin@PA-VM> show user group list      cn=Group1,cn=users,dc=domain,dc=com      cn=Group2,cn=users,dc=domain,dc=com      Finance *      IT* Total: 4 * : Custom Group   admin@PA-200> show user group name finance      source type: ldap      Group type:Custom      source:      domain      [1     ] domain\rsriramo       LDAP Custom Groups: Overview: This document explains about understanding Custom groups in LDAP Group Mapping Custom Group subtab to create custom groups based on LDAP filters so that you can base firewall policies on user attributes that don’t match existing user groups in an LDAP-based service such as Active Directory (AD). User-ID maps all the LDAP directory users who match the filter to the custom group. If you create a custom group with the same Distinguished Name (DN) as an existing AD group domain name, the firewall uses the custom group in all references to that name Lets consider we have Two groups in AD and some users in that group. admin@PA-VM> show user group list cn=Group1,cn=users,dc=domain,dc=com cn=Group2,cn=users,dc=domain,dc=com Now The above groups are already created in AD. We are now creating Custom groups in PaloAlto based on User Attributes. Here User1 + User2 + User10 + USER20 belongs to IT department, User3 + User4 + User30 + USER40 belongs to Finance department Now we can create two separate groups using user attributes. Check below link to find out alphabetical list of user attributes http://www.selfadsi.org/user-attributes.htm or you can find out in Attribute Editor tab The total number of groups you can add to a group mapping configuration—across the Custom Group subtab and “Group Include List Subtab”—is 640 per virtual system (vsys). To create a custom group, click Add, enter a group Name (it must be unique in the group mapping configuration for the current firewall/vsys), specify an LDAP Filter of up to 2,048 characters, then click OK. After creating or cloning a custom group, you must perform a commit before the group becomes available for use in policies and objects. Now we created a Rule allowing only Finance users     Confirm that the new group exists and contains the expected members admin@PA-VM> show user group list cn=Group1,cn=users,dc=domain,dc=com cn=Group2,cn=users,dc=domain,dc=com Finance * IT* Total: 4 * : Custom Group   admin@PA-200> show user group name finance source type: ldap Group type:Custom source:      domain [1     ] domain\rsriramo Overview: This document explains about understanding Custom groups in LDAP Group Mapping Custom Group subtab to create custom groups based on LDAP filters so that you can base firewall policies on user attributes that don’t match existing user groups in an LDAP-based service such as Active Directory (AD). User-ID maps all the LDAP directory users who match the filter to the custom group. If you create a custom group with the same Distinguished Name (DN) as an existing AD group domain name, the firewall uses the custom group in all references to that name Lets consider we have Two groups in AD and some users in that group. admin@PA-VM> show user group list cn=Group1,cn=users,dc=domain,dc=com cn=Group2,cn=users,dc=domain,dc=com Now The above groups are already created in AD. We are now creating Custom groups in PaloAlto based on User Attributes. Here User1 + User2 + User10 + USER20 belongs to IT department, User3 + User4 + User30 + USER40 belongs to Finance department Now we can create two separate groups using user attributes. Check below link to find out alphabetical list of user attributes http://www.selfadsi.org/user-attributes.htm or you can find out in Attribute Editor tab The total number of groups you can add to a group mapping configuration—across the Custom Group subtab and “Group Include List Subtab”—is 640 per virtual system (vsys). To create a custom group, click Add, enter a group Name (it must be unique in the group mapping configuration for the current firewall/vsys), specify an LDAP Filter of up to 2,048 characters, then click OK. After creating or cloning a custom group, you must perform a commit before the group becomes available for use in policies and objects. Now we created a Rule allowing only Finance users     Confirm that the new group exists and contains the expected members admin@PA-VM> show user group list cn=Group1,cn=users,dc=domain,dc=com cn=Group2,cn=users,dc=domain,dc=com Finance * IT* Total: 4 * : Custom Group   admin@PA-200> show user group name finance source type: ldap Group type:Custom source:      domain [1     ] domain\rsriramo     kjkjhjsjhssdd Overview: This document explains about understanding Custom groups in LDAP Group Mapping Custom Group subtab to create custom groups based on LDAP filters so that you can base firewall policies on user attributes that don’t match existing user groups in an LDAP-based service such as Active Directory (AD). User-ID maps all the LDAP directory users who match the filter to the custom group. If you create a custom group with the same Distinguished Name (DN) as an existing AD group domain name, the firewall uses the custom group in all references to that name Lets consider we have Two groups in AD and some users in that group. admin@PA-VM> show user group list cn=Group1,cn=users,dc=domain,dc=com cn=Group2,cn=users,dc=domain,dc=com Now The above groups are already created in AD. We are now creating Custom groups in PaloAlto based on User Attributes. Here User1 + User2 + User10 + USER20 belongs to IT department, User3 + User4 + User30 + USER40 belongs to Finance department Now we can create two separate groups using user attributes. Check below link to find out alphabetical list of user attributes http://www.selfadsi.org/user-attributes.htm or you can find out in Attribute Editor tab The total number of groups you can add to a group mapping configuration—across the Custom Group subtab and “Group Include List Subtab”—is 640 per virtual system (vsys). To create a custom group, click Add, enter a group Name (it must be unique in the group mapping configuration for the current firewall/vsys), specify an LDAP Filter of up to 2,048 characters, then click OK. After creating or cloning a custom group, you must perform a commit before the group becomes available for use in policies and objects. Now we created a Rule allowing only Finance users     Confirm that the new group exists and contains the expected members admin@PA-VM> show user group list cn=Group1,cn=users,dc=domain,dc=com cn=Group2,cn=users,dc=domain,dc=com Finance * IT* Total: 4 * : Custom Group   admin@PA-200> show user group name finance source type: ldap Group type:Custom source:      domain [1     ] domain\rsriramo   Overview: This document explains about understanding Custom groups in LDAP Group Mapping Custom Group subtab to create custom groups based on LDAP filters so that you can base firewall policies on user attributes that don’t match existing user groups in an LDAP-based service such as Active Directory (AD). User-ID maps all the LDAP directory users who match the filter to the custom group. If you create a custom group with the same Distinguished Name (DN) as an existing AD group domain name, the firewall uses the custom group in all references to that name Lets consider we have Two groups in AD and some users in that group. admin@PA-VM> show user group list cn=Group1,cn=users,dc=domain,dc=com cn=Group2,cn=users,dc=domain,dc=com Now The above groups are already created in AD. We are now creating Custom groups in PaloAlto based on User Attributes. Here User1 + User2 + User10 + USER20 belongs to IT department, User3 + User4 + User30 + USER40 belongs to Finance department Now we can create two separate groups using user attributes. Check below link to find out alphabetical list of user attributes http://www.selfadsi.org/user-attributes.htm or you can find out in Attribute Editor tab The total number of groups you can add to a group mapping configuration—across the Custom Group subtab and “Group Include List Subtab”—is 640 per virtual system (vsys). To create a custom group, click Add, enter a group Name (it must be unique in the group mapping configuration for the current firewall/vsys), specify an LDAP Filter of up to 2,048 characters, then click OK. After creating or cloning a custom group, you must perform a commit before the group becomes available for use in policies and objects. Now we created a Rule allowing only Finance users     Confirm that the new group exists and contains the expected members admin@PA-VM> show user group list cn=Group1,cn=users,dc=domain,dc=com cn=Group2,cn=users,dc=domain,dc=com Finance * IT* Total: 4 * : Custom Group   admin@PA-200> show user group name finance source type: ldap Group type:Custom source:      domain [1     ] domain\rsriramo  
View full article
rsriramoju ‎12-01-2015 02:55 PM
18,833 Views
0 Replies
4 Likes
Ask Questions Get Answers Join the Live Community