topic In a DHCP environment, how can we grant certain users internet access via the Paloalto firewall? in Next-Generation Firewall Discussions

In a DHCP environment, how can we grant certain users internet access via the Paloalto firewall?

shivunrp — Tue, 01 Aug 2023 06:54:43 GMT

We have over 200 users on a network, and IP addresses are assigned using DHCP. However, we have a customer request to allow internet access on ports 80 and 443 for specific individuals(may be 50 or more) via the Paloalto firewall. Please review and confirm the various configuration options.

Re: In a DHCP environment, how can we grant certain users internet access via the Paloalto firewall?

seb_rupik — Tue, 01 Aug 2023 10:38:48 GMT

Hi there,

Is there a 1:1 mapping between users and devices, or can the users log into multiple devices? This would be a good usecase for User-ID (User-ID Overview (paloaltonetworks.com)) where you can define Security Policy based on user/ group.

Another alternative would be an 802.1x solution on the edge ports of your network allowing you to place certain devices/ users in a specific VLAN, which can then have a specific security policy applied to on the firewall.

Since you mention a DHCP based solution, then we can assume there must be a 1:1 mapping between the user and devices. The solution here is to logically divide a subnet. Say you have a DHCP scope for a /24 subnet, then carve out a /26 and use that for static reservations, eg:

192.168.1.0/24

Reserved: 192.168.1.0/26

DHCP scope allocation: 192.168.1.64-192.168.1.250

This will give you 62 useable host addresses, which you can use for static reservations once you have gathered all of the device MAC addresses. You can then create an address object for 192.168.1.0/26 and use it in whatever punitive policy you require.

cheers,

Seb.

Re: In a DHCP environment, how can we grant certain users internet access via the Paloalto firewall?

AaronAxvig — Tue, 01 Aug 2023 16:33:44 GMT

Ideas, given the limited information provided:

If each of the 50 individuals has dedicated PCs, use DHCP reservations to give them certain IPs and then allow that IP range Internet access.
Break it up into two networks. This would be via SSID, or 802.1x auth, or many other options.
Use Active Directory groups and User-ID, with different security rules depending on AD group membership.

Re: In a DHCP environment, how can we grant certain users internet access via the Paloalto firewall?

shivunrp — Wed, 02 Aug 2023 02:01:31 GMT

Hello @AaronAxvig, thanks for the reply. How about the AD integration method and local user authentication (using Captive Portal). ?

Re: In a DHCP environment, how can we grant certain users internet access via the Paloalto firewall?

AaronAxvig — Wed, 02 Aug 2023 13:15:00 GMT

Yeah that should work.

Re: In a DHCP environment, how can we grant certain users internet access via the Paloalto firewall?

shivunrp — Thu, 03 Aug 2023 01:33:08 GMT

Thank you so much.