user id group mapping

Sarou22 · a week ago

Hello I have several questions to ask you about the user ID.

1)We say that the LDAP does not map between the ip and the user, so who does the mapping between the ip and the user name?

2) then, when we configure the mapping of group. I do not understand the mapping of group in what it consists? To associate the name of the user and his ip or to associate a name to a group?

Because we talk about "group mapping" and not "IP mapping".

Abdul-Fattah · a week ago

Hi @Sarou22 ,

- the firewall provide several methods to map IPs to user, one of them is server Monitoring which allow the firewall to monitor AD servers for users authentication, so the firewall can do that among other methods as well.

for more info check this out: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users.html#id6...

- About group to user mapping also the firewall itself will do that, when it is configured, under Device>User Idenetification.

Sarou22 · a week ago

Hello, thank you for the answer.

But I don't understand why we talk about group to user mapping because the firewall maps a user to its IP?

Exemple

User id : John

IP: 192.168.1.1

It's not group to user mapping, isn't it?

Abdul-Fattah · a week ago

for example in a Security policy, to be able to control traffic of a certain user you will need IPs to User mapping. And if you want to control traffic of a certain group you will need IPs to User mapping & users to group mapping.

Sarou22 · Monday

So

Exemple :

Group : John ( 1 person)

Now i don't need group mapping because there IS only one person isn't it ?

BPry · Monday

@Sarou22,

I think you're mixing a few different things and thinking that they're the same. You have the ip-user-mapping that maps a single user to a set IP address (IE: Mapping BPry to 192.168.0.1), and then you have group mapping that just allows the firewall to expand a group down to individual group members.

The ip-user-mapping allows the firewall to say that BPry was mapped to a set IP address and allows you to see that information within the firewall logs and using it in security entries to say that BPry is allowed access to a specified resource.

The user group mapping simply allows the firewall to know which individual users are a member of any particular group. This allows us to say that a group like 'Financial-Accountants' are all given access to the finance applications within the environment. The firewall itself will keep that group up-to-date so that you don't have to individually go through and update your security entries individually every single time that group membership changes.

Abdul-Fattah · Tuesday

thats right. the Firewall needs group mapping so you can use AD groups on your firewall.

Network Security

Cloud Security

Security Operations

user id group mapping

user id group mapping

Show your appreciation!