topic Re: Create Policy based on workstation name and AD group membership? in General Topics

Create Policy based on workstation name and AD group membership?

promsos — Wed, 17 Apr 2013 14:59:54 GMT

I'm wondering if there is a way to create a policy based on workstations in a certain AD group.

Here's what I'm trying to accomplish... I want to have a security group in our Active Directory, say "Privileged Workstations" for a name. Any workstation that is a member of the "Privileged Workstations" group will have a static IP and will need to have access to applications that are outside of our normal scope of allowed applications. My goal is to setup a sort of self service group for our server team so if a server needs access to LogMeIn, for example, they can simply add the server to the AD group and I won't need to make any changes on my Palo Alto itself. I do not want to write my Policy based on username as the username for the servers is not consistently identified (unless there is a way to statically create a username to ip mapping?).

Has anyone set anything up like this before? Maybe I'm just missing something really easy, or maybe this just can't be accomplished.

Any help would be appreciated. Thanks.

Paul

Re: Create Policy based on workstation name and AD group membership?

Anon1 — Wed, 17 Apr 2013 20:29:45 GMT

Maybe you could create an "dynamic address object" and use it in the firewall rule. Then craft a script that reads the AD group and writes to the dynamic address object via XML API.

Re: Create Policy based on workstation name and AD group membership?

kdd — Thu, 18 Apr 2013 15:36:09 GMT

hi Paul,

when a user wants to get connect to for example LogMeIn then he is known on the AD-Server. The security group in the policy can be used because the group is also known on the AD-Server (the user have to be a member of this group)

The PAN-Agent is looking into the log of AD-Server ( it is not necessary to use an AD-Server) and sends this data to the Palo Alto. so the PA knows the IP and no user or ip-address has to be used. may the service or the app is changing.

Cheers Klaus

Re: Create Policy based on workstation name and AD group membership?

promsos — Thu, 18 Apr 2013 15:48:38 GMT

Thanks for the idea, this seems like it would probably work for me. I'm not on 5.x yet but I'll look into an upgrade to potentially use this solution.

Re: Create Policy based on workstation name and AD group membership?

promsos — Thu, 18 Apr 2013 16:09:14 GMT

Hi Klaus -

Maybe my example of using LogMeIn wasn't the best example to use in this situation because that may require a user to go out and manually initiate a connection. What we'll really be doing is allowing a vendor to remotely connect to certain PC's in our company via TeamViewer or a similar app. It's possible that these machines won't actually be logged into by a user for months (they just sit there pulling and pushing data) and even when service is needed a user probably won't be logging into the machine before support tries to connect remotely. Because user's won't login often (if at all) any solution using a username won't work for us since the username will most liekly .

Maybe I misunderstood the solution you're proposing, if so just let me know.

Thanks for the response.

Paul