topic Re: machine authentication in General Topics

machine authentication

bsimunko@recro-net.hr — Tue, 22 Apr 2014 12:21:23 GMT

hello!

we have a need to identify user machines associated with a domain. specifically, we want to create security policies based upon domain membership. is that even possible, and how would we achieve this functionality?

thnx!

Re: machine authentication

Rham — Tue, 22 Apr 2014 12:27:35 GMT

Hello,

best to start here

User-ID Best Practices - PAN-OS 5.0, 6.0

Re: machine authentication

bsimunko@recro-net.hr — Tue, 22 Apr 2014 12:47:40 GMT

so basically, just use the userid agent as usual...

when creating a security policy, under source user, append the $ sign at the end (ie mydomain\computername$)

but what if we do not want to list every single computer, just filter the domain? as far as i know, there is no wildcard for this, you can not enter mydomain\*$

Re: machine authentication

HULK — Tue, 22 Apr 2014 15:40:47 GMT

Hello Sir,

You can crete a user group in your AD server, which will include all domain users and map under Device >> User Identification >> Group-mapping. After that, you can refer that group under security policy.

Thanks

Re: machine authentication

bsimunko@recro-net.hr — Tue, 22 Apr 2014 15:48:53 GMT

i feel like the message is not really going through...

i am not asking about identification of users (humans), i'm asking about identifying computers (machines) that are domain members. i would like to have a set of policies applied for all COMPUTERS that are members and a different set for non-domain COMPUTERS (for example guests on the network)

Re: machine authentication

hheck — Tue, 22 Apr 2014 15:58:33 GMT

Are you trying to map IPs to both users and computers, so that if it is the computer making the request, it shows up as the computer account instead of the user that was last logged in/cached on that IP? Just trying to help clarify, so I don't actually have an answer for the question, but this is what I understood from your original question.

Re: machine authentication

bsimunko@recro-net.hr — Tue, 22 Apr 2014 16:02:25 GMT

yes, that is what i'm trying to do! i am not interested in the logged in user, just the computer (and they are NOT terminals).

i know it sounds silly, but customers are silly sometimes....

Re: machine authentication

knarra1 — Tue, 22 Apr 2014 17:14:25 GMT

one way to identify if pc is domain or non-domain is to make use of the HIP profiles and use the hip profile in the security policy. To get the HIP report, you will have to configure gloabal protect for internal gateway . You will need Global protect portal license for internal gateways https://live.paloaltonetworks.com/docs/DOC-3930 - How to Configure Internal GlobalProtect Only https://live.paloaltonetworks.com/docs/DOC-6066 - configuring HIP profiles to use in security policies

Re: machine authentication

hheck — Tue, 22 Apr 2014 17:19:51 GMT

HIP has nothing to do with the request. What he is looking to do is to differentiate traffic that is initiated by the SYSTEM account, and other non user accounts, versus what is initiated by the user accounts. This way he can have a policy that says "group of computer" can access APP, but the user initiated traffic doesn't necessarily have to be allowed to do that.

It's one thing to associate a user to an IP, which is what is currently done. What he is looking for is to associate TRAFFIC to a user.