The bSecure service supports the use of user groups in addition to individual users for firewall security policy.
This does not take the place of individual users in firewall policy, they can be intermixed as required by the customers needs. Please see the User-ID article for more information on using usernames instead of groups.
Group Mapping
When available firewall administrators can request that their VSYS be enabled for group mapping. They will meet with a network engineer who will review their needs and determine if group mapping is appropriate for the use case. If so they will configure the service accordingly. Please note that group mapping requests can take more than a month to implement and are impacted by change freezes.
Once implemented users will be able to select their users and groups from a pre-populated list in the User field of the policy configuration. A policy entry supports the user of manual user entry, group entry, and a mixture of both.
Once online, administrators will manage group membership through CalGroups without having to modify or push new configuration to their firewalls.
How it Works
- Security policy including a list of users matches other requirements (such as source/destination address and service)
- The VSYS queries the User-ID database with the source network address of the connection
- If there is a username matching the source address in the database the name is returned to the VSYS
- If a username is found it the users group memberships are compared to the allows list specified in policy and if so the firewall will take the appropriate action
The Restricted VPN documentation has a good walkthrough of how to interact with the CalGroups interface that also applies to managing User-ID groups.
Service Limitations
- User-ID only works with active users of the bSecure remote access service (GlobalProtect)
- Only users that are members of defined groups will appear in the auto-populated pull-down. Any users not represented in one or more groups will need to be manually entered
- There is no way to log a User-ID that does not match
- You can't create a deny rule to catch which users are not being allowed as you would for a non-User-ID rule
- The service only supports CalGroups for group management