Use Dynamic User Groups in Policy (Strata Cloud Manager)
Focus
Focus
Network Security

Use Dynamic User Groups in Policy (Strata Cloud Manager)

Table of Contents


Use Dynamic User Groups in Policy (Strata Cloud Manager)

Learn how to configure dynamic user groups and use them for policy enforcement.
  1. Select ManageNGFW and Prisma AccessObjectsDynamic User Groups and Add Dynamic User Group.
  2. Define the membership of the dynamic user group.
    1. Enter a Name for the group.
    2. (Optional) Enter a Description for the group.
    3. Add Match Criteria using dynamic tags to define the members in the dynamic user group.
    4. (Optional) Use the AND or OR operators with the tag(s) that you want to use to filter for or match against. Negation is not supported.
    5. (Optional) Select the Tags you want to assign to the group itself.
      This tag displays in the Tags column in the Dynamic User Group list and defines the dynamic group object, not the members in the group.
    6. Select Save and Push Config to commit and push your changes.
      If you update the user group object filter, you must commit the changes to update the configuration.
  3. Depending on the log information that you want to use as match criteria, configure auto-tagging by creating a log forwarding profile or configuring the log settings.
    • For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile.
    • For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.
  4. (Optional) To return dynamic user group members to their original groups after a specific duration of time, enter a Timeout value in minutes (default is 0, range is 0-4320).
  5. Use the dynamic user group in a policy to regulate traffic for the members of the group.
    You will need to create at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent. To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic.
    1. Select the dynamic user group from Step 1 as the Source User.
    2. Create the rule where the Action denies traffic to the dynamic user group members.
    3. Create the rule that allows the traffic to populate the dynamic user group members.
    4. If you configured a Log Forwarding profile in Step 3, select it to add it to the policy.
    5. Commit your changes.
  6. (Optional) Refine the group’s membership and define the registration source for the user-to-tag mapping updates.
    If the initial user-to-tag mapping retrieves users who should not be members or if it does not include users who should be, modify the members of the group to include the users for whom you want to enforce the policy and specify the source for the mappings.
    1. In the Users column, select more.
    2. Register Users to add them to the group and select the Registration Source for the tags and user-to-tag mappings.
      • Local (Default)—Register the tags and mappings for the dynamic user group members locally on your device.
      • Panorama User-ID Agent—Register the tags and mappings for the dynamic user group members on a User-ID agent connected to Panorama. If the dynamic user group originates from Panorama, the row displays in yellow and the group name, description, match criteria, and tags are read-only. However, you can still register or unregister users from the group.
      • Remote device User-ID Agent—Register the tags and mappings for the dynamic user group members on a remote User-ID agent. To select this option, you must first configure an HTTP server profile.
    3. Select the Tags you want to register on the source using the tag(s) you used to configure the group.
    4. (Optional) To return dynamic user group members to their original groups after a specific duration of time, enter a Timeout value in minutes (default is 0, range is 0-43200).
    5. Add or Delete users as necessary.
    6. (Optional) Unregister Users to remove their tags and user-to-tag mappings.
  7. Verify that the users in the dynamic user group are populate correctly.
    1. Confirm the Dynamic User Group column in the Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Tunnel Inspection logs displays the dynamic user groups correctly.
    2. Use the show user group list dynamic command to display a list of all dynamic user groups as well as the total number of dynamic user groups.
    3. Use the show object registered-user all command to display a list of users who are registered members of dynamic user groups.
    4. Use the show user group name group-name command to display information about the dynamic user group, such as the source type.