Creating Security Groups

This section describes how to create security groups and set their attributes on a FW.

Context

Users and security groups on a FW reflect the horizontal organizational structure. You can configure policies to reference the security groups to implement network behavior control and permission management.

The following rules apply when you create security groups:

A security group can belong to no parent security group or belong to a maximum of 40 parent security groups.
A user can belong to no parent security group or belong to a maximum of 40 parent security groups.
Dynamic security groups cannot be the parent groups of any security group, but can be members of static security groups.
Security groups can be referenced by policies. If a security group is referenced by a policy, the policy applies to all users of the security group, but not to the users of the sub-security groups.

Procedure

Create a security group in the system view and access the security group view.
user-manage security-group security-group-name [ domain domain-name ]
Configure the description of the security group.
description description

The description must clearly indicate the function of the security group to make it easy to find and maintain.
Configure the parent group of the security group.
parent-security-group parent-security-group-name
Configure the security group type.
security-group-type { dynamic | static }
Optional: Configure the user filtering conditions for the dynamic security group.
user-filter user-filter

This parameter is available only when the security group type is set to dynamic. For example, when user-filter is set to (&(ou=info)(objectClass=person)), the users whose ou attribute is info belong to a dynamic security group.

You can configure a maximum of five filtering conditions for each dynamic security group. The filtering conditions are logically ORed. That is, a user is added to the dynamic security group as long as the user meets one filtering condition.
Optional: Allow user accounts of the security group to be used by multiple users.
multi-ip online enable [ only-self ]

If the parameter only-self is not specified, the multi-IP login setting takes effect on users of the security group and its sub-security groups. If this parameter is specified, the multi-IP login setting takes effect on new users of only the security group, but for users in the security group and its subgroups, the setting does not take effect.

Temporary users are not controlled by the multi-IP login attribute of the user group or security group to which they go online. The device always allows temporary users to log in using multiple IP addresses.

Follow-up Procedure

After creating security groups, you can perform the following operations to modify configurations:

Run the rename security-group-name command in the security group view to rename a security group.
Run the parent-security-group parent-security-group-name command in the security group view to add or change the parent group.

When you create a security group, a parent security group is specified. To change the parent security group, run the undo parent-security-group { all | parent-security-group-name } command first to delete the security group from the parent security group. Then run the parent-security-group parent-security-group-name command to specify a new parent security group. A security group can belong to a maximum of 40 parent security groups.
Run the parent-security-group parent-security-group-name command in the local user view to add the user to an existing parent security group.
Run the user-manage security-group-export to csv-file command in the system view to export the security groups.