Active Directory group naming scheme

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Active Directory group naming scheme

L2 Linker

Hi all,

I'd be interested to here is anyone has come up with interesting naming schemes for AD groups used within Palo Alto firewall policies.

I'm looking for inspiration as I'm looking to come up with a logical scheme on our end.




L4 Transporter

Can you elaborate your request

Firewalldog dot com

I'm interested to learn how people name their groups within Active Directory that are used within the Palo Alto Firewall Policies.

Are they named randomly or does the name of the group identify what the policy does within the firewall.


I'm looking to come up with a naming scheme for myself that makes sense, is easy to manage and has relevance when identifying the policy within the firewall so I'd like to learn if others have come up with a scheme or system that they use that I could draw inspiration on for my requirements.


For example, if a policy is giving RDP access to a bunch of servers on floor 3 of office 1 is the rule named 'Off_1_Flr_3_RDP_allow' or is it called 'access to rdp for developers'.

Do you mean just the security rule names / nomenclature?


If you're actually talking about security groups in AD that are used in policy on the firewall...Well in most environments the guys that control the firewall have no input on the naming standard of AD security groups.

Yeah, I'm talking about the nomenclature of the AD security groups themselves.


I guess I'm in a different position where I have the input in naming both.

Naming conventions that I've found most helpful over various employers are ones that are both brief and meaningful.  This usually entails determining first the major categories and then sub-groups that have logical meaning for the organization.  Then developing a short 3-4 letter abreviation for them to encode into the name.


You can further simplify the AD setup by creating security groups that simply contain other groups.


For example:


List of job roles that contain actual users


List of resources needing access security that contain job role groups only


The security policy then can be nuanced to either the resource or the role depending on the details of the rule.


And names are recognizable abbreviations of the resource or the role.



Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!