https://live.paloaltonetworks.com/t5/general-topics/userid/m-p/255137#M72410 <P>Hello</P><P>&nbsp;</P><P>Is Userd Identification feature works only whith Active Directory users account or also with Computers accounts ? I would like to create a security rule who allow access on our internal ressources only for computer with an active computer account in our AD and for computer without an valid computer account or disable account, the traffic must be blocked.</P><P>&nbsp;</P><P>BR</P><P>&nbsp;</P> Wed, 27 Mar 2019 06:43:11 GMT CARRIERJerome 2019-03-27T06:43:11Z https://live.paloaltonetworks.com/t5/general-topics/userid/m-p/255137#M72410 <P>Hello</P><P>&nbsp;</P><P>Is Userd Identification feature works only whith Active Directory users account or also with Computers accounts ? I would like to create a security rule who allow access on our internal ressources only for computer with an active computer account in our AD and for computer without an valid computer account or disable account, the traffic must be blocked.</P><P>&nbsp;</P><P>BR</P><P>&nbsp;</P> Wed, 27 Mar 2019 06:43:11 GMT https://live.paloaltonetworks.com/t5/general-topics/userid/m-p/255137#M72410 CARRIERJerome 2019-03-27T06:43:11Z https://live.paloaltonetworks.com/t5/general-topics/userid/m-p/255163#M72413 <P>You cannot use host level information to enforce security policy.&nbsp; (ie computer group membership, or lack there of)</P> Wed, 27 Mar 2019 17:26:22 GMT https://live.paloaltonetworks.com/t5/general-topics/userid/m-p/255163#M72413 Brandon_Wertz 2019-03-27T17:26:22Z https://live.paloaltonetworks.com/t5/general-topics/userid/m-p/255324#M72462 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/84878">@CARRIERJerome</a>,</P><P>You could build something like this with a dynamic group, address objects, and the XML API fairly easily that you could update on a scheduled basis. However, as&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a>&nbsp;says this isn't something natively supported by the firewall.&nbsp;</P><P>&nbsp;</P> Thu, 28 Mar 2019 21:09:53 GMT https://live.paloaltonetworks.com/t5/general-topics/userid/m-p/255324#M72462 BPry 2019-03-28T21:09:53Z https://live.paloaltonetworks.com/t5/general-topics/userid/m-p/255325#M72463 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;wrote:<BR /><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/84878">@CARRIERJerome</a>,</P><P>You could build something like this with a dynamic group, address objects, and the XMLAPII fairly easily that you could update on a scheduled basis. However, as&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a>&nbsp;says this isn't somethingnativelyy supported by the firewall.&nbsp;</P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>Yeah there's definitely "a way" to do it, but it's not native feature set.&nbsp; I actually had this requirement about 5 years back and got it implemented at my company using an&nbsp;EDL or back then it was a "dynamic block list."&nbsp;&nbsp;</P><P>&nbsp;</P><P>If you query&nbsp;the computer AD security group via a script, dump that script to a file, then perform an NSLOOKUP of those&nbsp;hostnames&nbsp;dump that IP address into another file.&nbsp; This file which has the IP addresses can be used in the&nbsp;EDL on&nbsp;Palo.</P> Thu, 28 Mar 2019 21:25:01 GMT https://live.paloaltonetworks.com/t5/general-topics/userid/m-p/255325#M72463 Brandon_Wertz 2019-03-28T21:25:01Z