topic Re: Denying Internet Connection Sharing in General Topics

Denying Internet Connection Sharing

Conde01 — Wed, 21 Dec 2011 15:12:58 GMT

Hi,

I've recently discovered that if a user shares their network connection by setting up an AP on their machine (think Mac 'Sharing') then whatever device is then connected can get online (the deny and allow policies still apply as expected). For example, a connecting iPad gets an address 10.0.0.3/32 from the workstation AP. The workstaion has 192.168.1.5. The Activity logs show the source IP as being 192.168.1.5. Is it possible to block the iPad (or see the 'real' source IP - 10.0.0.3/32). Hope that's clear.

Thanks

Nick

Re: Denying Internet Connection Sharing

rmonvon — Wed, 21 Dec 2011 15:53:09 GMT

You can try this: https://live.paloaltonetworks.com/docs/DOC-1503

Re: Denying Internet Connection Sharing

Conde01 — Wed, 21 Dec 2011 16:09:48 GMT

Thanks for the suggestion, but I don't want to block them, rather restrict tethered devices.

Thanks

Re: Denying Internet Connection Sharing

mharding — Wed, 21 Dec 2011 21:50:10 GMT

The short answer is no, the Mac is NAT'ing the 10.x.x.x network to it's real address of 192.168.x.x. The Palo Alto has no knowledge of this NAT. It only sees the 192.168.x.x address.

You could either secure the Mac desktops to prevent that behavior, or block based on User Agents.