Network Security
Policy Object: Dynamic User Groups
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Policy Object: Dynamic User Groups
Dynamic user groups help you create policy that provides auto-remediation for anomalous
user behavior and malicious activity while maintaining user visibility.
Dynamic User Groups are groups where membership is based on tags. This means that the
group membership is based on an attribute or activity that the tag identifies, and
members are included in the group only when they meet that criteria. A dynamic user
group that is based on an auto-tag includes users or IP addresses that are
associated with a certain log type of log activity (specified by you when you set up
the auto-tag). This means you can specify your security requirements based on the
activity you want to limit or block, instead of the entity (user or IP address). You
don’t need to manually update policy or groups to respond to a threat.
Dynamic user groups help you create policy that provides
auto-remediation for anomalous user behavior and malicious activity while
maintaining user visibility. You can configure a dynamic user group to automatically
include users as members without having to manually create and commit policy or
group changes and still maintain user-to-data correlation at the device level even
before the traffic is scanned.
Troubleshoot
traffic that isn't being enforced as expected–check the status of specific devices
to understand whether there’s a mismatch between expected policies (as configured)
and enforced policies.Use Dynamic User Groups in Policy
Dynamic user groups help you to create policy that provides auto-remediation for
anomalous user behavior and malicious activity while maintaining user
visibility. After you create the group and commit the changes, users and
associated tags are registered, and the dynamic user group’s membership is
automatically updated. Because updates to dynamic user group membership are
automatic, using dynamic user groups instead of static group objects allows you
to respond to changes in user behavior or potential threats without manual
policy changes.
To determine what users to include as members, a dynamic user group uses tags as
filtering criteria. As soon as a user matches the filtering criteria, that user
becomes a member of the dynamic user group. The tag-based filter uses logical
and and or operators. Each tag is a metadata
element or attribute-value pair that you register on the source statically or
dynamically. Static tags are part of your configuration, while dynamic tags are
part of the runtime configuration. As a result, you don’t need to commit updates
to dynamic tags if they are already associated with a policy that you've
committed.
To dynamically register tags, you can use:
- the XML API
- the User-ID agent
- Panorama
- PAN-OS
Tags for the dynamic user group are redistributed to the listening redistribution
agents, which includes other devices, Panorama, or a Dedicated Log Collector, as
well as Cortex applications.
Tags for the dynamic user group are redistributed to the next hop and you
can configure log forwarding to send the
logs to a specific server. Log forwarding also allows you to use auto-tagging to automatically add or remove members of dynamic user
groups based on events in the logs.
To support redistribution for dynamic user group tags on PAN-OS, all
devices must use PAN-OS 9.1 to receive the tags from the registration
sources.
Follow these steps to configure dynamic user groups and use them for policy
enforcement.
Use Dynamic User Groups in Policy (Strata Cloud Manager)
Learn how to configure dynamic user groups and use them for policy
enforcement.
- SelectandManageNGFW andPrisma AccessObjectsDynamic User GroupsAdd Dynamic User Group.
- Define the membership of the dynamic user group.
- Enter aNamefor the group.
- (Optional) Enter aDescriptionfor the group.
- AddMatch Criteriausing dynamic tags to define the members in the dynamic user group.
- (Optional) Use theANDorORoperators with the tag(s) that you want to use to filter for or match against. Negation is not supported.
- (Optional) Select theTagsyou want to assign to the group itself.This tag displays in theTagscolumn in theDynamic User Grouplist and defines the dynamic group object, not the members in the group.
- SelectSaveandPush Configto commit and push your changes.If you update the user group object filter, you must commit the changes to update the configuration.
- Depending on the log information that you want to use as match criteria, configure auto-tagging by creating a log forwarding profile or configuring the log settings.
- For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile.
- For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.
- (Optional) To return dynamic user group members to their original groups after a specific duration of time, enter aTimeoutvalue in minutes (default is 0, range is 0-4320).
- Use the dynamic user group in a policy to regulate traffic for the members of the group.You will need to create at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent. To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic.
- Select the dynamic user group from Step 1 as theSource User.
- Create the rule where theActiondenies traffic to the dynamic user group members.
- Create the rule that allows the traffic to populate the dynamic user group members.
- If you configured aLog Forwardingprofile in Step 3, select it to add it to the policy.
- Commityour changes.
- (Optional) Refine the group’s membership and define the registration source for the user-to-tag mapping updates.If the initial user-to-tag mapping retrieves users who should not be members or if it does not include users who should be, modify the members of the group to include the users for whom you want to enforce the policy and specify the source for the mappings.
- In theUserscolumn, selectmore.
- Register Usersto add them to the group and select theRegistration Sourcefor the tags and user-to-tag mappings.
- Local(Default)—Register the tags and mappings for the dynamic user group members locally on your device.
- Panorama User-ID Agent—Register the tags and mappings for the dynamic user group members on a User-ID agent connected to Panorama. If the dynamic user group originates from Panorama, the row displays in yellow and the group name, description, match criteria, and tags are read-only. However, you can still register or unregister users from the group.
- Remote device User-ID Agent—Register the tags and mappings for the dynamic user group members on a remote User-ID agent. To select this option, you must first configure an HTTP server profile.
- Select theTagsyou want to register on the source using the tag(s) you used to configure the group.
- (Optional) To return dynamic user group members to their original groups after a specific duration of time, enter aTimeoutvalue in minutes (default is 0, range is 0-43200).
- AddorDeleteusers as necessary.
- (Optional)Unregister Usersto remove their tags and user-to-tag mappings.
- Verify that the users in the dynamic user group are populate correctly.
- Confirm theDynamic User Groupcolumn in the Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Tunnel Inspection logs displays the dynamic user groups correctly.
- Use theshow user group list dynamiccommand to display a list of all dynamic user groups as well as the total number of dynamic user groups.
- Use theshow object registered-user allcommand to display a list of users who are registered members of dynamic user groups.
- Use theshow user group namecommand to display information about the dynamic user group, such as the source type.group-name
Use Dynamic User Groups in Policy (PAN-OS & Panorama)
Learn how to configure dynamic user groups and use them for policy
enforcement.
- SelectandObjectsDynamic User GroupsAdda new dynamic user group.
- Define the membership of the dynamic user group.
- Enter aNamefor the group.
- (Optional) Enter aDescriptionfor the group.
- Add Match Criteriausing dynamic tags to define the members in the dynamic user group.
- (Optional) Use theAndorOroperators with the tag(s) that you want to use to filter for or match against. Negation is not supported.
- ClickOK.
- (Optional) Select theTagsyou want to assign to the group itself.This tag displays in theTagscolumn in theDynamic User Grouplist and defines the dynamic group object, not the members in the group.
- ClickOKandCommityour changes.If you update the user group object filter, you must commit the changes to update the configuration.
- Depending on the log information that you want to use as match criteria, configure auto-tagging by creating a log forwarding profile or configuring the log settings.
- For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile.
- For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.
- (Optional) To return dynamic user group members to their original groups after a specific duration of time, enter aTimeoutvalue in minutes (default is 0, range is 0-43200).
- Use the dynamic user group in a policy to regulate traffic for the members of the group.You will need to create at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent. To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic.
- Select the dynamic user group from Step 1 as theSource User.
- Create the rule where theActiondenies traffic to the dynamic user group members.
- Create the rule that allows the traffic to populate the dynamic user group members.
- If you configured aLog Forwardingprofile in Step 3, select it to add it to the policy.
- Commityour changes.
- (Optional) Refine the group’s membership and define the registration source for the user-to-tag mapping updates.If the initial user-to-tag mapping retrieves users who should not be members or if it does not include users who should be, modify the members of the group to include the users for whom you want to enforce the policy and specify the source for the mappings.
- In theUserscolumn, selectmore.
- Register Usersto add them to the group and select theRegistration Sourcefor the tags and user-to-tag mappings.
- Local(Default)—Register the tags and mappings for the dynamic user group members locally on the firewall.
- Panorama User-ID Agent—Register the tags and mappings for the dynamic user group members on a User-ID agent connected to Panorama. If the dynamic user group originates from Panorama, the row displays in yellow and the group name, description, match criteria, and tags are read-only. However, you can still register or unregister users from the group.
- Remote device User-ID Agent—Register the tags and mappings for the dynamic user group members on a remote User-ID agent. To select this option, you must first configure an HTTP server profile.
- Select theTagsyou want to register on the source using the tag(s) you used to configure the group.
- (Optional) To return dynamic user group members to their original groups after a specific duration of time, enter aTimeoutvalue in minutes (default is 0, range is 0-43200).
- AddorDeleteusers as necessary.
- (Optional)Unregister Usersto remove their tags and user-to-tag mappings.
- Verify the firewall correctly populates the users in the dynamic user group.
- Confirm theDynamic User Groupcolumn in the Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Tunnel Inspection logs displays the dynamic user groups correctly.
- Use theshow user group list dynamiccommand to display a list of all dynamic user groups as well as the total number of dynamic user groups.
- Use theshow object registered-user allcommand to display a list of users who are registered members of dynamic user groups.
- Use theshow user group namecommand to display information about the dynamic user group, such as the source type.group-name