Configure User-ID for Numerous Mapping Information Sources

1. Configure Windows Log Forwarding on the member servers that will collect login events.
   Configure Windows Log Forwarding. This step requires administrative privileges for configuring group policies on Windows servers.
2. Install the Windows-based User-ID agent.
   Install the Windows-Based User-ID Agent on a Windows server that can access the member servers. Make sure the system that will host the User-ID agent is a member of the same domain as the servers it will monitor.
3. Configure the User-ID agent to collect user mapping information from the member servers.
   1. Start the Windows-based User-ID agent.
   2. Select User IdentificationDiscovery and perform the following steps for each member server that will receive events from domain controllers:
      1. In the Servers section, click Add and enter a Name to identify the member server.
      2. In the Server Address field, enter the FQDN or IP address of the member server.
      3. For the Server Type, select Microsoft Active Directory.
      4. Click OK to save the server entry.
   3. Configure the remaining User-ID agent settings (refer to Configure the Windows-Based User-ID Agent for User Mapping).
   4. If the User-ID sources provide usernames in multiple formats, specify the format for the Primary Username when you Map Users to Groups.
      The primary username is the username that identifies the user on the firewall and represents the user in reports and logs, regardless of the format that the User-ID source provides.
4. Configure an LDAP server profile to specify how the firewall connects to the Global Catalog servers (up to four) for group mapping information.
   To improve availability, use at least two Global Catalog servers for redundancy.

   You can collect group mapping information only for universal groups, not local domain groups (subdomains).
   1. Select DeviceServer ProfilesLDAP, click Add, and enter a Name for the profile.
   2. In the Servers section, for each Global Catalog, click Add and enter the server Name, IP address (LDAP Server), and Port. For a plaintext or Start Transport Layer Security (Start TLS) connection, use Port 3268. For an LDAP over SSL connection, use Port 3269. If the connection will use Start TLS or LDAP over SSL, select the Require SSL/TLS secured connection check box.
   3. In the Base DN field, enter the Distinguished Name (DN) of the point in the Global Catalog server where the firewall will start searching for group mapping information (for example, DC=acbdomain,DC=com).
   4. For the Type, select active-directory.
5. Configure an LDAP server profile to specify how the firewall connects to the servers (up to four) that contain domain mapping information.
   User-ID uses this information to map DNS domain names to NetBIOS domain names. This mapping ensures consistent domain/username references in policy rules.

   To improve availability, use at least two servers for redundancy.

   The steps are the same as for the LDAP server profile you created for Global Catalogs in the previous step, except for the following fields:

   • LDAP Server—Enter the IP address of the domain controller that contains the domain mapping information.
   • Port—For a plaintext or Start TLS connection, use Port 389. For an LDAP over SSL connection, use Port 636. If the connection will use Start TLS or LDAP over SSL, select the Require SSL/TLS secured connection check box.
   • Base DN—Select the DN of the point in the domain controller where the firewall will start searching for domain mapping information. The value must start with the string: cn=partitions,cn=configuration (for example, cn=partitions,cn=configuration,DC=acbdomain,DC=com).
6. Create a group mapping configuration for each LDAP server profile you created.
   1. Select DeviceUser IdentificationGroup Mapping Settings.
   2. Click Add and enter a Name to identify the group mapping configuration.
   3. Select the LDAP Server Profile and ensure the Enabled check box is selected.
      If the Global Catalog and domain mapping servers reference more groups than your security rules require, configure the Group Include List and/or Custom Group list to limit the groups for which User-ID performs mapping.
   4. Click OK and Commit.