https://live.paloaltonetworks.com/t5/next-generation-firewall/can-ngfw-block-trafic-depending-on-the-client-and-source-ip/m-p/1234569#M6116 <P>Hello,</P><P>We have a requirement to control connections from local virtual machines (VMs) to public endpoints. Specifically, we need to enforce access policies based on:</P><UL><LI>The type of client submitting the request (e.g., web browser vs. desktop tool)</LI><LI>The IP address of the VM from which the request originates</LI></UL><P>&nbsp;</P><P>Is it possible to implement such granular controls?&nbsp;</P><P>Thank you for your insights!</P> Wed, 23 Jul 2025 19:37:32 GMT pan_iv 2025-07-23T19:37:32Z https://live.paloaltonetworks.com/t5/next-generation-firewall/can-ngfw-block-trafic-depending-on-the-client-and-source-ip/m-p/1234569#M6116 <P>Hello,</P><P>We have a requirement to control connections from local virtual machines (VMs) to public endpoints. Specifically, we need to enforce access policies based on:</P><UL><LI>The type of client submitting the request (e.g., web browser vs. desktop tool)</LI><LI>The IP address of the VM from which the request originates</LI></UL><P>&nbsp;</P><P>Is it possible to implement such granular controls?&nbsp;</P><P>Thank you for your insights!</P> Wed, 23 Jul 2025 19:37:32 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/can-ngfw-block-trafic-depending-on-the-client-and-source-ip/m-p/1234569#M6116 pan_iv 2025-07-23T19:37:32Z https://live.paloaltonetworks.com/t5/next-generation-firewall/can-ngfw-block-trafic-depending-on-the-client-and-source-ip/m-p/1234662#M6123 <P>Source IP address is easy, just put that in a security rule.</P> <P>You should be able to create a custom application with signatures based on header information to identify the type of client. You would just have to inspect the traffic to find something to match that differentiates between browser vs tool.</P> Thu, 24 Jul 2025 21:28:35 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/can-ngfw-block-trafic-depending-on-the-client-and-source-ip/m-p/1234662#M6123 rmfalconer 2025-07-24T21:28:35Z https://live.paloaltonetworks.com/t5/next-generation-firewall/can-ngfw-block-trafic-depending-on-the-client-and-source-ip/m-p/1234686#M6128 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/55733">@rmfalconer</a>&nbsp; suggestion is good as the User-Agent header can be used in such cases but don't think that this is a good security as there are dedicated WAF systems that use javascripts to verify if a user is bot/tool or web browser like the one in Prisma Cloud product.</P><P>&nbsp;</P><P>For custom signatures you can take a look at:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/general-articles/how-to-write-palo-alto-networks-custom-vulnerability-and/ta-p/1228494" target="_blank">How to Write Palo Alto Networks Custom Vulnerability and Application Signatures with Examples | Palo Alto Networks</A></P> Fri, 25 Jul 2025 07:37:05 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/can-ngfw-block-trafic-depending-on-the-client-and-source-ip/m-p/1234686#M6128 nikoolayy1 2025-07-25T07:37:05Z