topic Re: Specify policy by machine name/workgroup? in General Topics

Specify policy by machine name/workgroup?

thatguy — Tue, 14 Jan 2014 21:54:03 GMT

Hey there --

So this is an odd thing that's probably it simple fix.. hoping anyway. We have 99% of our PCs on the same subnet and domain, however several of these machines are owned by an outside company and are "borrowing" our internet link. They are in their own workgroup (not on our domain), but share our address space (192.168.1.x/24).

I have an OpenInternet policy that allows users in a specific domain security group full access to the internet; and I have another policy (LimitedInternet) that has strict URL filtering for users not in that group. My question -- is there a way to allow those workgroup computers (either by workgroup or machine name) access to the OpenInternet policy?

Thanks!

-- michael~

Re: Specify policy by machine name/workgroup?

HULK — Tue, 14 Jan 2014 22:17:50 GMT

Hello Sir,

As you have 99% of the traffic from domain users, So, any non-domain traffic the PA will not be unable to correlate user <-> ip, then it will treated as "unknown" in the user field.

You can use the "unknown" user as an object for a Deny/strict policy rule.

Thanks

Re: Specify policy by machine name/workgroup?

thatguy — Wed, 15 Jan 2014 18:41:16 GMT

Thank you for the reply.. and that seems to work.. should I be concerned about the commit warning that the "Non-domainUsers shadows LimitedInternet"?

The policies are ordered as:

OpenInternet sourceuser: domain\openinternetgroup LooseFiltering

Non-domainUsers sourceuser: unknown LooseFiltering

LimitedInternet sourceuser: any StrictFiltering

And is there any way to include both the domain group and unknown user in the same policy?

Thanks!

Re: Specify policy by machine name/workgroup?

Retired Member — Thu, 16 Jan 2014 09:43:59 GMT

commit warning is not important.(if it is fixed by the support will be better )

to include domain group , there is no way except cloning the rule and select each.(as you did)

Re: Specify policy by machine name/workgroup?

pulukas — Sat, 18 Jan 2014 12:20:17 GMT

"Non-domainUsers shadows LimitedInternet"

Shadow means that your new rule for Non-domainUsers has match criteria that the rule LimitedInternet will never be used. You have essentially replaced LimitedInternet with Non-domainUsers.

If this situation is acceptable then you should delete LimitedInternet.

If this is not acceptable, then we need to look more closely at the match conditions for the two rules to determine how to separate the desired traffic and block what you wish to block.

Re: Specify policy by machine name/workgroup?

Retired Member — Sat, 18 Jan 2014 13:18:24 GMT

when you look for that 3 rule, if a user is in a domain group named abc, then it's session will match to Limitedİnternet.So shadow error is a bug.it does not have the same/much ciriteria.if you change the order of 2nd and 3rd rule.Than yes there will be a shadow situation there.

Re: Specify policy by machine name/workgroup?

SDorsey — Sun, 19 Jan 2014 07:08:41 GMT

I for some reason didn't realize unknown was an available option. Thanks for the info!