This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Can we create a user group incluing another set of mapped user group from AD?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Can we create a user group incluing another set of mapped user group from AD?

Udana
L1 Bithead

‎06-03-2021 03:06 AM

Hi All,

 

We have a challenge such that, there are around 100 mapped user groups from AD and we need to add them in a single rule. Is there any way we could add those user groups to another single user group and use it in the rule?

 

Thanks!

0 Likes Likes
5 REPLIES 5

Remo
L7 Applicator

‎06-03-2021 04:59 AM

Hi @Udana 

You could create a custom group with which you can create a group based on an ldap filter. With this ldap filter you can create a filter with the member-of attribute to include your other groups and then use this one custom group in the security policy.

0 Likes Likes

Remo
L7 Applicator
In response to Remo

‎06-03-2021 05:08 AM

... or you create a group in active directory where you add these 100 groups to it and in the security policy rule you will then be able to use this active directory group.

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎06-03-2021 09:58 AM

Hello,

This is what Remo was referring to, I think:

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClTp

 

I would recommend staying away from embedding groups as I have seen this cause issues in the past with various products.

Regards,

0 Likes Likes

Udana
L1 Bithead

‎06-04-2021 04:59 AM

Hi All,

 

Thanks for the responses. Assume that we have a ldap group as CN=x,OU=Groups,OU=y,DC=abc,DC=com . In this case, can we filter out groups from OU level? I'm not clear about how to create the filter in that custom groups. I really appreciate if you could help me out here.

Thank you!

0 Likes Likes

Remo
L7 Applicator
In response to Udana

‎06-04-2021 08:27 AM

Hi @Udana 

As far as I know, you cannot create an ldap filter that gets all groups in a specific OU. For such a query you need to use the base DN in an ldap server profile. So in this case I recommend to create a new ldap server profile (or copy the existing one) and specify the base DN exactly as you need it to get the groups you need.

0 Likes Likes
  • 2630 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks