https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-group-in-negate-form/m-p/50346#M37055 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>is it possible to create a security policy with user/group with NOT form?</P><P></P><P>for example :&nbsp; <STRONG>LAN =&gt; WAN&nbsp;&nbsp; !domain-group&nbsp;&nbsp; any&nbsp;&nbsp; all-app&nbsp;&nbsp; deny</STRONG></P><P></P><P>My task is to create a rule in order to block all known users except those belongs to a specific domain group indentified correctly in the PAN GUI via LDAP handshake.</P><P></P><P>I've tried introducing a simple "!" simbol before the group name. Commit is OK but in practice nothing happened. </P><P></P><P>If somebody has tried succesfully a smarter solutions please inform me.</P><P></P><P>Regards</P></BODY></HTML> Sat, 09 Apr 2011 20:54:05 GMT zanonibs 2011-04-09T20:54:05Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-group-in-negate-form/m-p/50346#M37055 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>is it possible to create a security policy with user/group with NOT form?</P><P></P><P>for example :&nbsp; <STRONG>LAN =&gt; WAN&nbsp;&nbsp; !domain-group&nbsp;&nbsp; any&nbsp;&nbsp; all-app&nbsp;&nbsp; deny</STRONG></P><P></P><P>My task is to create a rule in order to block all known users except those belongs to a specific domain group indentified correctly in the PAN GUI via LDAP handshake.</P><P></P><P>I've tried introducing a simple "!" simbol before the group name. Commit is OK but in practice nothing happened. </P><P></P><P>If somebody has tried succesfully a smarter solutions please inform me.</P><P></P><P>Regards</P></BODY></HTML> Sat, 09 Apr 2011 20:54:05 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-group-in-negate-form/m-p/50346#M37055 zanonibs 2011-04-09T20:54:05Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-group-in-negate-form/m-p/50347#M37056 <HTML><HEAD></HEAD><BODY><P>There are certain fields that can be negated (e.g. source and destination address) but I don't believe you can negate by source user group.&nbsp; The way to accomplish this is to use two rules in this order:</P><P></P><OL><LI>LAN -&gt; WAN&nbsp; domain-group&nbsp; any&nbsp; all-app&nbsp; Allow</LI><LI>LAN -&gt; WAN&nbsp; any-user&nbsp; any&nbsp; all-app&nbsp; Deny</LI></OL><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Sun, 10 Apr 2011 18:41:13 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-group-in-negate-form/m-p/50347#M37056 kbrazil 2011-04-10T18:41:13Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-group-in-negate-form/m-p/50348#M37057 <HTML><HEAD></HEAD><BODY><P>Sometimes is quite useful deny a specific source in the beginning rather than apply the classic "deny any any" at the end.</P><P></P><P>But if is not possible using the negate form of a source group/user then the solution you proposed it's the only that works.</P><P></P><P>Thanks for support </P></BODY></HTML> Thu, 14 Apr 2011 08:40:19 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-group-in-negate-form/m-p/50348#M37057 zanonibs 2011-04-14T08:40:19Z