https://live.paloaltonetworks.com/t5/general-topics/can-i-enforce-security-based-in-ad-computer-groups-yet/m-p/146416#M49187 <P>At my company we make use of EDLs to accomplish.</P><P>&nbsp;</P><P>We built a script which scrubs the AD groups we want. &nbsp;We then bump that script againts DNS. &nbsp;That DNS output is dumped into a text file on our internal network which is hosted behind IIS. &nbsp;We then target the Palo to that .txt file and leverage that object in the firewall for security policy controls.</P><P>&nbsp;</P><P>&nbsp;</P><P>This process is cumbersome for sure, but works for us.</P> Tue, 07 Mar 2017 15:37:13 GMT Brandon_Wertz 2017-03-07T15:37:13Z https://live.paloaltonetworks.com/t5/general-topics/can-i-enforce-security-based-in-ad-computer-groups-yet/m-p/146301#M49171 <P>I see history here indicating the user-id agent has been blind to computer names when the group membership is added to user IDs. &nbsp;The CLI DOES show the computer name as a userID (with a post-pended $) and the groups are mapped correctly to the computer group I created and dumped the computer in.</P><P>&nbsp;</P><P>On the other hand the USER signed into that computer does not show the computer group as one of their member groups.</P><P>&nbsp;</P><P>It looks like the base data is in the firewall but I can't get traffic or security policies to recognize the traffic from the computer name, only the AD user name.</P><P>&nbsp;</P><P>Is there some way I can introduce computer names and/or computer groups into user-id based enforcement? My goal is to create a few policies based on AD computer group. Maybe custom AD groups in the Group Mappings Settings?</P> Tue, 07 Mar 2017 01:54:25 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-enforce-security-based-in-ad-computer-groups-yet/m-p/146301#M49171 JWileyR 2017-03-07T01:54:25Z https://live.paloaltonetworks.com/t5/general-topics/can-i-enforce-security-based-in-ad-computer-groups-yet/m-p/146416#M49187 <P>At my company we make use of EDLs to accomplish.</P><P>&nbsp;</P><P>We built a script which scrubs the AD groups we want. &nbsp;We then bump that script againts DNS. &nbsp;That DNS output is dumped into a text file on our internal network which is hosted behind IIS. &nbsp;We then target the Palo to that .txt file and leverage that object in the firewall for security policy controls.</P><P>&nbsp;</P><P>&nbsp;</P><P>This process is cumbersome for sure, but works for us.</P> Tue, 07 Mar 2017 15:37:13 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-enforce-security-based-in-ad-computer-groups-yet/m-p/146416#M49187 Brandon_Wertz 2017-03-07T15:37:13Z https://live.paloaltonetworks.com/t5/general-topics/can-i-enforce-security-based-in-ad-computer-groups-yet/m-p/146578#M49228 <P>Brandon, thanks for the reply. I'm guessing that the pain you go through to harvest this data is a result of not having a palo-alto supported solution to this? Does anyone else have alternatives? Something in PANOS 8 maybe?</P> Wed, 08 Mar 2017 02:08:14 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-enforce-security-based-in-ad-computer-groups-yet/m-p/146578#M49228 JWileyR 2017-03-08T02:08:14Z https://live.paloaltonetworks.com/t5/general-topics/can-i-enforce-security-based-in-ad-computer-groups-yet/m-p/146656#M49243 <P>Correct as of 7.1 and lower. &nbsp;There's no way I know of to enumerate computer groups and apply them to a "source" or "dest" for security policy.</P> Wed, 08 Mar 2017 14:46:22 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-enforce-security-based-in-ad-computer-groups-yet/m-p/146656#M49243 Brandon_Wertz 2017-03-08T14:46:22Z