Importing Users, User Groups, or Security Groups from a Server

This section describes how to import users, user groups or security groups from an AD, LDAP, or Agile Controller server to a FW.

Prerequisites

Before you import users, user groups or security groups from a server, complete the following tasks:

Configure an AD, LDAP, or Agile Controller server. For more information, see Configuring an AD Server, Configuring an LDAP Server, or Configuring a Agile Controller Server.
View user information on an AD, LDAP, or Agile Controller server and determine an import location and filtering parameters.

Context

The FW supports the import of users, user groups or security groups from an AD, AD LDAP, or Sun ONE LDAP server, and the import of users and user groups from an Open LDAP or Agile Controller server.

The following rules apply when you import users, user groups or security groups from a server:

You can import only user accounts and organizational structures from the server to the FW. User attributes cannot be imported.
In the dual-system hot backup deployment, the information imported from the server cannot be synchronized from the active FW to the standby FW. Therefore, you must import the users to both the active and standby FWs.
In the dual-system hot backup deployment in mirroring mode, the service interface of the standby FW cannot receive or forward packets. Therefore, user information cannot be imported through the service interface. Run the hrp mgt-interface command to specify an independent management interface and ensure that the management interface is connected to the server. Then, use the management interface to import user information.

For an AD or LDAP server, the FW supports only the import of users to the authentication domain with the same user domain name on the server or to the default authentication domain. For example, dc=cce,dc=com indicates the user with the cce.com domain name.

If the server has more than five filtering parameters for dynamic security groups, the FW accepts only the first five filtering parameters when importing dynamic security groups.

By default, the names of users, user groups, and security groups on the FW can be Chinese characters, English letters, digits, and special characters. For details, see the restrictions and precautions for user management and authentication.

Procedure

Choose Object > User > User Import > Server Import.
Click Add.

Set the parameters for importing users, user groups or security groups from an AD, LDAP, or Agile Controller server.

Parameter	Description
Name	Name of a policy for importing users, user groups or security groups from a server The name must be unique.
Server Type	Type of a server AD: specifies an AD server. LDAP: specifies an LDAP server. Agile Controller: specifies a Agile Controller server.
Server Name	Name of a server You can also click Add to create a server.
Server Import Location	When Server Type is set to AD or LDAP, click Select, connect to the server, and select the ranges of users, user groups or security groups. This parameter can be set only after you select Server Name. The user/user group/security group information in a maximum of 16 subdirectories can be imported to the FW. The LDAP or AD server import location consists of a domain name and user group names on the server. The format of a server import location is: ou=level-N user group name, ..., ou=level-2 user group name, ou=level-1 user group name, dc=level-N domain name, ..., dc=level-2 domain name, dc=level-1 domain name. When Server Name is set to Agile Controller, enter the path through which the user, user group information is imported from the Agile Controller server to the FW. The format of the start location on a Agile Controller server is root\level-1 department\level-2 department\…….
Import Type	Type of information to be imported from a server. Possible values are as follows: All Imports all users, organizational structures and security groups on an authentication server to the FW. You are advised to select All if the FW is supposed to manage all or most of the users on the authentication server and policies need to be configured on the basis of the organizational structure or security groups. This parameter is available only when Server Type is AD, AD LDAP or Sun ONE LDAP. Import only users Imports only users on an authentication server to the FW. After being imported to the FW, the imported users belong to the same department by default. You are advised to select Import only users if you need to rebuild the organizational structure on the FW instead of using the original structure on the authentication server. Import only user groups Imports only the organizational structure to the FW from an authentication server. If the server has a large number of users and the FW manages users based only on the organizational structure (departments), you are advised to use this mode to avoid importing invalid users. Import only security groups Imports only the security groups to the FW from an authentication server. You are advised to select Import only security groups if the FW is supposed to manage only security groups. This parameter is available only when Server Type is AD, AD LDAP or Sun ONE LDAP. Import both users and user groups Imports all users and organizational structures on an authentication server to the FW. You are advised to select Import both users and user groups if the FW is supposed to manage all or most of the users on the authentication server and policies need to be configured on the basis of the organizational structure. Import both users and security groups Imports all users and security groups on an authentication server to the FW. You are advised to select Import both users and security groups if the FW is supposed to manage security groups and their users on the authentication server. This parameter is available only when Server Type is AD, AD LDAP or Sun ONE LDAP.
Target User Group	Select import location at which users and user groups are imported to the FW. By default, user/user group information is imported to the /default group on the FW. For an AD or LDAP server, the user can be imported only to the group of the authentication domain with the same user domain name on the server or to the default authentication domain. The Agile Controller supports only the import of the group of the default authentication domain. If the content to be imported contains security groups, the security groups are imported to the authentication domain of destination-group. NOTE: For user import from a Agile Controller server, the user organizational structure with the same user group name in adjacent levels cannot be imported to the homonymous user group on the FW. Otherwise, user hierarchy is incorrect. For example, if user1's organizational structure on the Agile Controller server is /group/group/user1 and this organizational structure is imported to /default/group on the FW, user1 will be imported to /default/group, not to /default/group/group.
Target Security Group	Import security group location at which users are imported to the FW. This parameter is available only when Import Type is Import only users or Import both users and user groups.
Target Domain	Import authentication domain location at which security groups are imported to the FW. This parameter is available only when Import Type is Import only security groups. The selected authentication domain must be the authentication domain with the same user domain name on the server or the default authentication domain.
Incremental Synchronization	Import only new users, user groups, or security groups after the previous import. This parameter is available only when Server Type is set to AD or LDAP. If the check box is selected, the FW imports users, user groups, or security groups from the server at the configured interval.
Full Synchronization	Import all users, user groups, or security groups from a server to the FW. When Server Type is set to AD or LDAP, select the check box and set the synchronization interval and time. The FW will import users, user groups, or security groups from the AD or LDAP server at the configured interval. When Server Type is set to Agile Controller, select the check box and set a synchronization interval. The FW will import users, user groups from the Agile Controller server at the configured interval. NOTE: During full synchronization, the users who exist on the FW but are deleted from the server are identified as invalid users. Click View Invalid User Information to determine whether to delete invalid users or configure periodic clearing of all invalid users.
Overwrite existing user records	If you select this check box and a user already exists, the FW overwrites the original user attributes. If you deselect this check box and a user already exists on a FW, the FW skips the user. NOTE: Only the users imported from third-party authentication servers overwrite each other. The users manually created or imported from a CSV file cannot be overwritten. If Import Type is Import only users and Overwrite existing user records is selected, users existing on the FW will be overwritten, and their original organizational structures are lost, which will further cause policy control based on these structures (user groups/security groups) to become invalid. After the local users on the FW are overwritten, the user-IP/MAC address binding relationships and types, however, retain unchanged. After the local users on the FW are overwritten and if these users do not allow login from multiple IP addresses, this restriction still exists for imported users. If the overwritten local users allow login from multiple IP addresses but the user group or security group to which these users belong does not allow this, the restriction still exists for imported users.
Filtering Settings
User	Parameter specified for selecting users. The parameter is in regular expression. An AD or LDAP server searches for user information that meets the filtering parameter and sends the user information to the FW. This parameter applies to an AD or LDAP server. You are advised to keep the default value of the parameter.
User Group	Parameter specified for selecting user groups. The parameter is in regular expression. An OU contains much information including user groups, and certain information is unnecessary to be imported to the FW. An AD or LDAP server can search for user group information that meets the filtering parameter and send the user group information to the FW during the import. This parameter applies to an AD or LDAP server. You are advised to keep the default value of the parameter.
Security Group	Parameter specified for selecting security groups. The parameter is in regular expression. An OU contains much information including security groups, and certain information is unnecessary to be imported to the FW. An AD, AD LDAP or Sun ONE LDAP server can search for security group information that meets the filtering parameter and send the security information to the FW during the import. This parameter applies to an AD, AD LDAP or Sun ONE LDAP server. You are advised to keep the default value of the parameter.
User Attribute	You can use a user attribute on an AD or LDAP server as the login name of the user on the FW. sAMAccountName, the attribute of a user on an AD or AD LDAP server, indicates the login name of the user. cn, the attribute of a user on an Open LDAP Server, indicates the login name of the user. uid, the attribute of a user on a Sun ONE LDAP server, indicates the login name of the user. This parameter applies to an AD or LDAP server. You are advised to keep the default value of the parameter.

Click OK.

Result

After an import policy is created, you can import users, user groups or security groups from a server to the FW. If Incremental Synchronization or Full Synchronization is specified in the import policy, the FW will import users, user groups, or security groups from the server at the configured interval.

Follow-up Procedure

Invalid users, including users, user group, and security groups exist on the FW in the following situations:

After users/user groups/security groups are imported from the server to the FW, some users/user groups/security groups are deleted from the server, and users/user groups/security groups are immediately imported to the FW or full synchronization succeeds. The deleted users/user groups/security groups on the FW become invalid.
The security policy references the users/user groups/security groups that are queried online and imported from the server.
Users/user groups/security groups are imported from the server, and the corresponding import policy is deleted from the server.

Click View Invalid User Information on the Server Import tab, you can view invalid user information, delete invalid users, and configure periodic clearing of all invalid users.

For objects of the user, user group, and security group types, if none of the import policies on the FW contains objects of a certain type, the FW directly deletes invalid objects of this type. For example, if none of the import policies contains objects of the user type, the FW directly clears invalid objects of the user type.
If an import policy fails to have objects of a certain type imported due to full specifications, the FW considers the import of objects of this type as successful and the import of objects of another type that are imported subsequently as failed. For example, the import type of an import policy is all, the import sequence is user group > security group > user, and objects of the security group type fail to be imported due to full specifications. In this case, objects of the user group and security group types are imported successfully, and those of the user type fail to be imported.
If users, user groups, or security groups are imported from a server and invalid users exist on the FW, after the FW restarts, these users become valid. After immediate import or scheduled full synchronization is performed, these users become invalid.

Invalid users will not be deleted in the following situations:

The invalid users are online or referenced by a policy. After the users go offline or the policy that references the users is deleted, the users can be deleted.
User groups, subgroups, or users in user groups are referenced by the policy, users in the user groups are online, or subgroups, users are not imported from the server. After the users go offline or the policy that references the users is deleted, the user groups/subgroups/users can be deleted.
The users in the security groups are online. The security groups can be deleted if the users go offline.
The security policy references the users/user groups/security groups that are queried online and imported from the server. Therefore, the users, user groups, and security groups are always invalid and cannot be deleted, which does not affect policy matching.

Click Import Record corresponding to the import policy to check the detailed information, such as the import time and import results of the import policy. The import details are classified as follows by Import Mode:

Full synchronization (Manual): The details on import operations performed by the administrator are recorded.
Full synchronization (Automatic): The details on full import operations automatically performed by the FW based on the import policy are recorded.
Incremental Synchronization (Automatic): The details on incremental import operations automatically performed by the FW based on the import policy are recorded.

The FW records only the latest one import record of full synchronization (Manual), two import records of full synchronization (Automatic), and 12 import records of incremental Synchronization (Automatic).

Click Failure Details to view details on import failures by user, user group, or security group.

The FW records the import failure details of 10 preferentially-imported users, 10 preferentially-imported security groups, and 1 preferentially-imported user group.