Learn how to configure dynamic user groups and use them
for policy enforcement.
Dynamic user groups help you to create policy
that provides auto-remediation for anomalous user behavior and malicious
activity while maintaining user visibility. After you create the
group and commit the changes, the firewall registers the users and
associated tags then automatically updates the dynamic user group’s
membership. Because updates to dynamic user group membership are
automatic, using dynamic user groups instead of static group objects
allows you to respond to changes in user behavior or potential threats
without manual policy changes.
To determine what users to
include as members, a dynamic user group uses tags as filtering
criteria. As soon as a user matches the filtering criteria, that
user becomes a member of the dynamic user group. The tag-based filter
uses logical
and and
or operators. Each
tag is a metadata element or attribute-value pair that you register
on the source statically or dynamically. Static tags are part of
the firewall configuration, while dynamic tags are part of the runtime
configuration. As a result, you don’t need to commit updates to
dynamic tags if they are already associated with a policy that you
have committed on the firewall
To dynamically register tags,
you can use:
- the XML API
- the User-ID agent
- Panorama
- the web interface on the firewall
The firewall
redistributes the tags for the dynamic user group to the listening
redistribution agents, which includes other firewalls, Panorama,
or a Dedicated Log Collector, as well as Cortex applications.
To support
redistribution for dynamic user group tags, all firewalls must use
PAN-OS 9.1 to receive the tags from the registration sources.
The
firewall redistributes the tags for the dynamic user group to the
next hop and you can
configure log forwarding to
send the logs to a specific server. Log forwarding also allows you
to use
auto-tagging to
automatically add or remove members of dynamic user groups based on
events in the logs.