Note: This article provides information on a service that will be available in July 2021, requests for this service will not be accepted until announced.
The bSecure service will soon support the use of user groups in addition to individual users for firewall security policy.
This does not take the place of individual users in firewall policy, they can be intermixed as required by the customers needs. Please see the User-ID article for more information on using usernames instead of groups.
Group Mapping
When available firewall administrators can request that their VSYS be enabled for group mapping. They will meet with a network engineer who will review their needs and determine if group mapping is appropriate for the use case and then configure the service accordingly. Please note that group mapping requests can take more than a month to implement and are impacted by change freezes.
Once implemented users will be able to select their groups from a pre-populated list in the User field of the policy configuration, or they can opt to manually input users. A policy entry supports the user of manual user entry, group entry, and a mixture of both.
When online administrators will manage group membership through CalGrouper without having to modify or push new configuration to their firewalls.
How it Works
- Security policy including a list of users matches other requirements (such as source/destination address and service)
- The VSYS queries the User-ID database with the source network address of the connection
- If there is a username matching the source address in the database the name is returned to the VSYS
- If a username is found it the users group memberships are compared to the allows list specified in policy and if so the firewall will take the appropriate action
Service Restrictions
- Groups consisting of less than 5 users do not qualify for group mapping services. Small sets of users should be managed independently in the Panorama interface.
- All groups must be created by TelCat request and can not be created by firewall administrators. Once a group is online the firewall administrators will be given control of group membership.
Service Limitations
- User-ID only works with active users of the bSecure remote access service (GlobalProtect)
- Firewall policy will log the User-ID name for rules that match and not the group
- Firewall policy will log the User-ID name for rules that match, there is no way to log a User-ID that does not match (you can not log a User-ID that does not match a policy to see who has not been configured)
- The service only supports CalGrouper for group management and can not be connected to any other source for group membership.