Strata Copilot
    User-ID Best Practices
    : User-ID Best Practices for Dynamic User Groups
    Focus
    Download PDF
    Focus
    1. Home
    2. Best Practices
    3. User-ID Best Practices
    4. User-ID Best Practices
    5. User-ID Best Practices for Dynamic User Groups
    Download PDF

    User-ID Best Practices

    User-ID Best Practices for Dynamic User Groups

    Table of Contents

    User-ID Best Practices for Dynamic User Groups

    Steps to help you plan, deploy, and maintain Dynamic User Groups with User-ID.
    Dynamic user groups allow you to respond to changes in user behavior, business needs, or potential threats without manual policy changes or creating and updating the groups. Dynamic user groups help you create a security policy that provides:
    • Time-bound resource access for users
    • Auto-remediation for anomalous user behavior and malicious activity while maintaining user visibility
    After you define the group’s criteria using tags and commit the changes, the membership of the dynamic user group is automatically updated based on the user’s tags.

    Plan User-ID Best Practices for Dynamic User Group Deployment

    • Based on factors such as changes in business needs or user behavior, identify how you want the firewall to control user access:
      • Do you want to allow or restrict access through security policy?
      • Do you want to require MFA for users?
      • Do you want to decrypt the user’s traffic to gain more visibility into user activity?
    • Determine the duration of the user’s membership in a specific dynamic user group.
      • Should the firewall automatically remove the user from the group based on time (for example, the number of hours a contractor needs for temporary resource access)?
      • Should the firewall require a specific event to associate or disassociate users from the group (for example, malicious activity)?
    • Evaluate what events the firewall generates that can identify a change in user behavior or business needs. You can assign tags through the API, auto-tagging, or manually using the web interface.
      • Based on your use cases, determine what tags you will use to group users and how you will generate the tag.
      • For example, one possible use case would be to evaluate the user’s risk level based on their behavior such as “high-risk,” “medium-risk,” and “low-risk” based on analysis from Palo Alto Networks firewalls and applications or third-party devices, applications and services, then automatically assign tags to users based on those events.
    • Identity the user information sources for the tags:
      • Firewall logs
        • For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile and use the Built-In Actions.
        • For User-ID, HIP Match, GlobalProtect, and IP-Tag logs, configure the log settings.
      • Cortex XSOAR
      • Security Information and Event Management Systems (SIEMS), such as Splunk
      • Custom API scripts
    • Combine tags from multiple sources to define the criteria for dynamic user groups. For example, you may want to deny the user access only if you receive alerts from multiple security applications that the user’s credentials have been compromised, instead of just a single application, based on confidence level.

    Deploy Dynamic User Groups Using Best Practices for User-ID

    • If you have a large number of users that you want to add to a dynamic user group or if you want to add users based on events from other security applications, use APIs to add the users instead of the web interface.
    • Use the API or manually define the Timeout that represents when to remove users from this group (for example on contract expiration).
    • Create security policy rules that use the dynamic user group as the Source User to control user access, enable MFA or decrypt the traffic for users who are members of the dynamic users groups.
    • Configure sources to provide information for user tags:
      • If you use firewall logs, configure auto-tagging to tag the user.
      • If you use Splunk, you can assign tags to users with the Palo Alto Networks app for Splunk.
      • Use playbooks in Cortex XSOAR or other Security Orchestration, Automation, and Response (SOAR) platforms to apply tags to users based on specific events.
      • If you use custom scripts, modify the script to populate the tags using the API.
      • Add users to the groups manually using the firewall’s web interface.

    Use Dynamic User Group Post-Deployment Best Practices for User-ID

    • Review your group membership to ensure that only the users you want to include are members of the group. If the group includes users who do not belong in the group (for example, permanent employees in the “contractor-access” group), Unregister Users to remove their username-to-tag mappings and Delete them from the group.
    • Review the User-ID logs to verify that the firewall correctly generates tags for users.
    • Use the CLI commands learn more about your dynamic user groups (for example, to see which users are associated with groups).
    • Use the dynamic user group column on Traffic and Threat logs to ensure that the firewall matches the groups to the expected security policies.
    • Redistribute the user tags to other firewalls to ensure all firewalls consistently apply the security policy. Keep in mind that you can redistribute the user tags for only one hop.

    © 2025 Palo Alto Networks, Inc. All rights reserved.