topic Re: Create User based Internet access rule in General Topics

Create User based Internet access rule

Blueearthfoods — Mon, 28 Jan 2019 11:08:12 GMT

Hi,

Could someone please advise how I can limit internet access by user?

I would like the below

Block level 1 - blocks the bad stuff but allows everything else

Block level 2 - blocks everything apart from an allow list

I believe I have set Enable User-ID up and I have set 2 groups within AD and attached the users to those groups. I seem to be missing the last step though of linking the AD groups to the webfiltering object

Thanks

Re: Create User based Internet access rule

Brandon_Wertz — Mon, 28 Jan 2019 13:45:48 GMT

@Blueearthfoods wrote:
Hi,

Could someone please advise how I can limit internet access by user?

I would like the below

Block level 1 - blocks the bad stuff but allows everything else
Block level 2 - blocks everything apart from an allow list

I believe I have set Enable User-ID up and I have set 2 groups within AD and attached the users to those groups. I seem to be missing the last step though of linking the AD groups to the webfiltering object

Thanks

Are your level 1 and 2 blocks intended to be applied to two distinct user groups?

To leverage AD controls you need to configure these areas:

Device --> Authentication Profile

Device --> User Identification

Device --> Server Profiles --> LDAP

Re: Create User based Internet access rule

LukeBullimore — Mon, 28 Jan 2019 15:55:38 GMT

Hey @Blueearthfoods

As a followup to @Brandon_Wertz message, you need to confirm you have the following User-ID concepts in place.

1. Can the firewall map IP addresses to usernames?

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to-users

2. Can the firewall map those usernames to groups?

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-users-to-groups

If both are met, you can simply build your security policy as you normally would but under the "Source User" you can specify that AD group.

At a high level for your requirement, you would have something like.

Security policy to allow traffic outbound if the source user group is "block level 1", attach the relevant security profiles to the rule to block the "bad stuff" including a URL filtering profile which is blocking the recommended categories: Phishing, Malware, Command and Control etc.

https://docs.paloaltonetworks.com/best-practices/8-1/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles

For the second requirement, you would create a new custom URL category for your whitelist, add all your sites there.

Add a new policy to allow traffic if they are going to this URL category for users in group "block level 2"

Add a new policy below this policy to block everything from the user group "block level 2"

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-category-as-policy-match-criteria

Cheers,

Luke.