11-25-2021 04:38 AM
Hello I have several questions to ask you about the user ID.
1)We say that the LDAP does not map between the ip and the user, so who does the mapping between the ip and the user name?
2) then, when we configure the mapping of group. I do not understand the mapping of group in what it consists? To associate the name of the user and his ip or to associate a name to a group?
Because we talk about "group mapping" and not "IP mapping".
11-25-2021 05:10 AM - edited 11-25-2021 05:11 AM
Hi @Sarou22 ,
- the firewall provide several methods to map IPs to user, one of them is server Monitoring which allow the firewall to monitor AD servers for users authentication, so the firewall can do that among other methods as well.
for more info check this out: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users.html#id6...
- About group to user mapping also the firewall itself will do that, when it is configured, under Device>User Idenetification.
11-25-2021 06:06 AM
Hello, thank you for the answer.
But I don't understand why we talk about group to user mapping because the firewall maps a user to its IP?
Exemple
User id : John
IP: 192.168.1.1
It's not group to user mapping, isn't it?
11-25-2021 07:18 AM
for example in a Security policy, to be able to control traffic of a certain user you will need IPs to User mapping. And if you want to control traffic of a certain group you will need IPs to User mapping & users to group mapping.
11-29-2021 12:01 PM
So
Exemple :
Group : John ( 1 person)
Now i don't need group mapping because there IS only one person isn't it ?
11-29-2021 06:25 PM
I think you're mixing a few different things and thinking that they're the same. You have the ip-user-mapping that maps a single user to a set IP address (IE: Mapping BPry to 192.168.0.1), and then you have group mapping that just allows the firewall to expand a group down to individual group members.
The ip-user-mapping allows the firewall to say that BPry was mapped to a set IP address and allows you to see that information within the firewall logs and using it in security entries to say that BPry is allowed access to a specified resource.
The user group mapping simply allows the firewall to know which individual users are a member of any particular group. This allows us to say that a group like 'Financial-Accountants' are all given access to the finance applications within the environment. The firewall itself will keep that group up-to-date so that you don't have to individually go through and update your security entries individually every single time that group membership changes.
11-30-2021 12:21 AM
thats right. the Firewall needs group mapping so you can use AD groups on your firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
