How to Configure Group Mapping settings?

| Palo Alto Networks Live 3/24/15, 11:20 AM

All Places > Knowledge Base > Documents

How to Configure Group Mapping

settings? Version 6

created by apasupulati on Apr 24, 2013 7:05 AM, last modified by apasupulati on Feb 7, 2014 9:20 AM

Overview
The Palo Alto Networks firewall can retrieve user-to-group mapping information from an LDAP server, such as,
Active Directory or eDirectory. The data can be retrieved through LDAP queries from the firewall (via agent-less
User-ID, introduced in PAN-OS 5.0) or by a User-ID Agent that is configured to proxy the firewall LDAP queries.
This document describes how to configure Group Mapping on a Palo Alto Networks firewall.

Steps
1. Configure the LDAP server profile: How to Configure LDAP Server Profile
2. Configure how groups and users are retrieved from the LDAP directory by creating a new group mapping
entry by navigating to the Device > User Identification > Group Mapping Settings tab and click 'Add'. Refer
to screenshot below.

3. Enter a Name. For Palo Alto Networks that support multiple virtual system, a drop-down list (Location) will
be available to select from.
4. Specify the LDAP server profile (configured in step 1) in the drop-down list under the Server Profile tab.
Note: All Attributes and ObjectClasses will be populated based on the directory server type you selected in
the LDAP Server Profile.
5. The default update interval for user groups changes is 3600 seconds (1 hour). Enter a value to specify a
custom interval.
6. Go to the Group Include List tab. Leave the include list blank if you want to include ALL groups, or select the
groups to be included from the left column that should be mapped.

https://live.paloaltonetworks.com/docs/DOC-4994 Page 1 of 3
How to Configure Group Mapping settings? | Palo Alto Networks Live 3/24/15, 11:20 AM

CLI commands to check the groups retrieved and connection to the LDAP server:
> show user group-mapping state all
> show user group list
> show user group name <group name>

owner: apasupulati

7065 Views Categories: Setup, Management & Administration , User-ID & Authentication
Tags: ldap, user-id, configuration, group_mapping, user-id_group, group_mappings

Average User Rating

(17 ratings)

4 Comments

ottench Feb 3, 2014 11:32 PM

Hi,
is there an CLI command to force group the synchronization?
Like (0)

panos Feb 3, 2014 11:37 PM (in response to ottench)

if you mean refresh

How to Force User Group Mapping Refresh

Like (1)

ottench Feb 3, 2014 11:45 PM (in response to panos)

great that works for me, thx

Like (0)

ecardona Dec 23, 2014 6:23 AM

Hi,

Could be that I have to use "user" instead of "person" in "User Objects > Object Class"

Thanks!

Esteban
Like (0)

https://live.paloaltonetworks.com/docs/DOC-4994 Page 2 of 3