Importing Users, User Groups or Security Groups from a Server

This section describes how to import users, user groups or security groups from an AD, LDAP, or Agile Controller server to a FW.

Prerequisites

Before you import users, user groups or security groups from a server, complete the following tasks:

Configure an AD, LDAP, or Agile Controller server. For more information, see Configuring an AD Server, Configuring an LDAP Server, or Configuring a Agile Controller Server.
View user information on an AD, LDAP, or Agile Controller server and determine an import location and filtering parameters.

Context

The FW supports the import of users, user groups or security groups from an AD, AD LDAP, or Sun ONE LDAP server, and the import of users and user groups from an Open LDAP or Agile Controller server.

The following rules apply when you import users, user groups or security groups from a server:

You can import only user accounts and organizational structures from the server to the FW. User attributes cannot be imported.
In the dual-system hot backup deployment, the information imported from the server cannot be synchronized from the active FW to the standby FW. Therefore, you must import the users to both the active and standby FWs.
In the dual-system hot backup deployment in mirroring mode, the service interface of the standby FW cannot receive or forward packets. Therefore, user information cannot be imported through the service interface. Run the hrp mgt-interface command to specify an independent management interface and ensure that the management interface is connected to the server. Then, use the management interface to import user information.

For an AD or LDAP server, the FW supports only the import of users to the authentication domain with the same user domain name on the server or to the default authentication domain. For example, dc=cce,dc=com indicates the user with the cce.com domain name.

If the server has more than five filtering parameters for dynamic security groups, the FW accepts only the first five filtering parameters when importing dynamic security groups.

By default, the names of users, user groups, and security groups on the FW can be Chinese characters, English letters, digits, and special characters. For details, see the restrictions and precautions for user management and authentication.

Procedure

Create a policy for importing user information from an AD, LDAP, or Agile Controller server in the system view and access the import policy view.
user-manage import-policy policy-name from { ad | ldap | tsm }
Configure a server template.
server template template-name

A server template defines the parameters for the FW to communicate with an AD, LDAP, or Agile Controller server. The server template is mandatory and must be consistent with the authentication server type defined in the import policy.
Configure the range of users, user groups, and security groups to be imported from an authentication server to the FW.
Setting a BaseDN using the server basedn basedn command means to specify a path of the user, user group, or security group information to be imported. You can import all the user, user group, or security group information in the path to the FW.

If you need to import the user, user group, or security group information only in several sub-paths of an AD or LDAP server, repeatedly run the server searchdn searchdn command to specify the sub-paths (SearchDNs) after specifying a BaseDN. For one BaseDN, a maximum of 16 sub-paths (SearchDNs) can be specified. No sub-path can be specified for the import from a Agile Controller server.
- The LDAP or AD server import location consists of a domain name and user group names on the server. The format of a server import location is: ou=level-N user group name, ..., ou=level-2 user group name, ou=level-1 user group name, dc=level-N domain name, ..., dc=level-2 domain name, dc=level-1 domain name.
- The format of the start location on a Agile Controller server is root\level-1 department\level-2 department\.......
Before you run the command, run the display user-manage group-in-basedn command several times to view the user organizational structure and select BaseDN or SearchDNs from the organizational structure.
Optional: Configure an import type.
import-type { all | group | security-group | user | user-group | user-security-group }

Possible import types are as follows:
- all
  
  Imports all users, organizational structures and security groups on an authentication server to the FW.
  
  You are advised to specify all if the FW is supposed to manage all or most of the users on the authentication server and policies need to be configured on the basis of the organizational structure or security groups.
  
  This parameter is available only when server type is AD, AD LDAP, or Sun ONE LDAP.
- group
  
  Imports only the organizational structure to the FW from an authentication server.
  
  If the server has a large number of users and the FW manages users based only on the organizational structure (departments), you are advised to use this mode to avoid importing invalid users.
- security-group
  
  Imports only the security groups to the FW from an authentication server.
  
  You are advised to specify security-group if the FW is supposed to manage only security groups.
  
  This parameter is available only when server type is AD, AD LDAP, or Sun ONE LDAP.
- user
  
  Imports only users on an authentication server to the FW. After being imported to the FW, the imported users belong to the same department by default.
  
  You are advised to select user if you need to rebuild the organizational structure on the FW instead of using the original structure on the authentication server.
- user-group
  
  Imports all users and organizational structures on an authentication server to the FW.
  
  You are advised to select user-group if the FW is supposed to manage all or most of the users on the authentication server and policies need to be configured on the basis of the organizational structure.
- user-security-group
  
  Imports all users and security groups on an authentication server to the FW.
  
  You are advised to select user-security-group if the FW is supposed to manage security groups and their users on the authentication server.
  
  This parameter is available only when server type is AD, AD LDAP, or Sun ONE LDAP.
By default, the import type is user-group, and all users and organizational structures on an authentication server are imported to the FW.
Optional: Configure the target user group at which users and user groups are imported to the FW.
destination-group group-name

By default, users and user groups are imported to the root group on the FW.

For an AD or LDAP server, the user group can be imported only to the authentication domain with the same user domain name on the server or to the default authentication domain.

The Agile Controller supports only the import of the default authentication domain.

If the content to be imported contains security groups, the security groups are imported to the authentication domain of destination-group.

For user import from a Agile Controller server, the user organizational structure with the same user group name in adjacent levels cannot be imported to the homonymous user group on the FW. Otherwise, user hierarchy is incorrect. For example, if user1's organizational structure on the Agile Controller server is /group/group/user1 and this organizational structure is imported to /default/group on the FW, user1 will be imported to /default/group, not to /default/group/group.
Optional: Configure the target security group at which users are imported to the FW.
destination-security-group security-group-name

You can set destination-security-group to import users to the specified security group only when the import type is user or user-group.
Optional: Configure periodic import.
- When the authentication server type specified in the import policy is AD or LDAP, configure incremental or full synchronization.
  
  Run the sync-mode incremental schedule interval time-interval command to enable incremental synchronization for the import from an AD or LDAP server and set an import interval. The NGFW will import users, user groups, or security groups from the server at the configured interval.
  
  To enable the server to synchronize users, user groups, or security groups created after a specific time point, run the { user | group | dynamic-security-group | static-security-group } time-stamp time-stamp command to configure a timestamp for the first incremental synchronization of users, user groups, dynamic security groups, or static security groups.
  
  Run the sync-mode full schedule { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } HH:mm command to enable full synchronization for the import from an AD or LDAP server and set the import interval and time. The NGFW will import users, user groups, or security groups from the server at the configured interval.
  
  If both incremental and full synchronization are set and the import intervals are overlapped, full synchronization takes precedence.
- When the authentication server type specified in the import policy is Agile Controller, configure periodic import.
  
  Run the time-interval time-interval command to enable periodic import and set an import interval. The NGFW will import users, user groups from the Agile Controller server at the configured interval.
time-interval time-interval

The FW imports users, user groups or security groups from an authentication server at the specified interval.
Optional: Allow the users, user groups or security groups imported from the authentication server to overwrite those with the same names on the FW.
import-override enable

If this command is executed and a user with the same name exists on a FW, the FW updates user attributes by overwriting the original attributes. If this command is not executed and a user with the same name exists on a FW, the FW skips the user during the import.
- Only the users imported from third-party authentication servers overwrite each other. The users manually created or imported from a CSV file cannot be overwritten.
- If the import type configured on the 4 is user and this step is performed, users existing on the FW will be overwritten, and their original organizational structures are lost, which will further cause policy control based on these structures (user groups/security groups) to become invalid.
- After the local users on the FW are overwritten, the user-IP/MAC address binding relationships and types, however, retain unchanged.
- After the local users on the FW are overwritten and if these users do not allow login from multiple IP addresses, this restriction still exists for imported users. If the overwritten local users allow login from multiple IP addresses but the user group or security group to which these users belong does not allow this, the restriction still exists for imported users.
Optional: Set filtering parameters.
Filtering parameters apply only to AD or LDAP servers.
- Set filtering parameters for importing users from an AD or LDAP server.
  
  user-filter user-filter
  
  The default filtering condition for importing users from an AD or AD LDAP server is (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer))). The default filtering condition for importing users from an Open LDAP server is (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)), because servers of this type do not have objects of the computer type. The default filtering condition for importing users from a Sun ONE LDAP server is (&(|(objectclass=person)(objectclass=organizationalPerson))(uid=*)). You are advised to keep the default values.
- Set filtering parameters for importing user groups from an AD or LDAP server.
  
  group-filter group-filter
  
  The default filtering condition for importing user groups is set to (|(objectclass=organizationalUnit)(ou=*)). You are advised to keep the default values.
- Set filtering parameters for importing security groups from an AD or LDAP server.
  
  security-group-filter security-group-filter
  
  This parameter takes effect only on AD, AD LDAP, and Sun ONE LDAP servers.
  
  The default filtering condition for importing security groups from an AD or AD LDAP server is (&(objectclass=group)(|(grouptype=-2147483640)(grouptype=-2147483644)(grouptype=-2147483646))). Only the local domain security groups, global security groups, and general security groups on the AD or AD LDAP server are imported. The default filtering condition for importing security groups from a Sun ONE LDAP server is (&(objectclass=groupofuniquenames)(!(memberURL=*))). You are advised to keep the default values.
- Configure user attributes on the AD or LDAP server.
  
  user-attribute user-attribute
  
  To import users from an authentication server, configure an attribute that contains the user information. By default, the user attribute of an AD server or AD LDAP server is sAMAccountName, the user attribute of an Open LDAP server is cn, and the user attribute of a Sun ONE LDAP server is uid. You are advised to keep the default values.

Result

After an import policy is created, you can run the execute user-manage import-policy policy-name command to import users, user groups or security groups from the authentication server. If periodic import is specified in the import policy, the FW periodically imports users, user groups or security groups from the server at the specified interval.

Follow-up Procedure

Invalid users, including users, user group, and security groups exist on the FW in the following situations:

After users/user groups/security groups are imported from the server to the FW, some users/user groups/security groups are deleted from the server, and users/user groups/security groups are immediately imported to the FW or full synchronization succeeds. The deleted users/user groups/security groups on the FW become invalid.
The security policy references the users/user groups/security groups that are queried online and imported from the server.
Users/user groups/security groups are imported from the server, and the corresponding import policy is deleted from the server.

You can run the user-manage clear-invalid-users schedule { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } HH:MM command in the system view to configure the device to automatically clearing all invalid users. You can also manually delete specific invalid users through web UI.

For objects of the user, user group, and security group types, if none of the import policies on the FW contains objects of a certain type, the FW directly deletes invalid objects of this type. For example, if none of the import policies contains objects of the user type, the FW directly clears invalid objects of the user type.
If an import policy fails to have objects of a certain type imported due to full specifications, the FW considers the import of objects of this type as successful and the import of objects of another type that are imported subsequently as failed. For example, the import type of an import policy is all, the import sequence is user group > security group > user, and objects of the security group type fail to be imported due to full specifications. In this case, objects of the user group and security group types are imported successfully, and those of the user type fail to be imported.
If users, user groups, or security groups are imported from a server and invalid users exist on the FW, after the FW restarts, these users become valid. After immediate import or scheduled full synchronization is performed, these users become invalid.

Invalid users will not be deleted in the following situations:

The invalid users are online or referenced by a policy. After the users go offline or the policy that references the users is deleted, the users can be deleted.
User groups, subgroups, or users in user groups are referenced by the policy, users in the user groups are online, or subgroups, users are not imported from the server. After the users go offline or the policy that references the users is deleted, the user groups/subgroups/users can be deleted.
The users in the security groups are online. The security groups can be deleted if the users go offline.
The security policy references the users/user groups/security groups that are queried online and imported from the server. Therefore, the users, user groups, and security groups are always invalid and cannot be deleted, which does not affect policy matching.