https://live.paloaltonetworks.com/t5/general-topics/restricting-users-to-internet-only/m-p/11609#M8535 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>While those <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">groups (IP range\VLAN) are accessing internal resources, is the same traffic passing through the PAN firewall....?</SPAN></P><P></P><P>If so, then you can create a policy to block internal resources base on user-group or source IP subnet.</P><P></P><P><IMG alt="security-policy.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/11463_security-policy.JPG.jpg" style="width: 620px; height: 324px;" /></P><P></P><P>Thanks</P></BODY></HTML> Thu, 06 Feb 2014 03:36:18 GMT HULK 2014-02-06T03:36:18Z https://live.paloaltonetworks.com/t5/general-topics/restricting-users-to-internet-only/m-p/11608#M8534 <HTML><HEAD></HEAD><BODY><P>How can I restrict a certain group (ip range\VLAN) to internet only access.?&nbsp; I don't want them to get to internal network shares with unfamiliar devices. We use Aruba Clear pass to authenticate and assign IPs and the PA 500 sits on the parameter. I know the answer is not the PA but probably a mixture of my other network devices.</P><P>Clearpass Device manager and Juniper 4200 switches with cisco switches in IDF</P></BODY></HTML> Thu, 06 Feb 2014 02:54:56 GMT https://live.paloaltonetworks.com/t5/general-topics/restricting-users-to-internet-only/m-p/11608#M8534 MemphisBrothers 2014-02-06T02:54:56Z https://live.paloaltonetworks.com/t5/general-topics/restricting-users-to-internet-only/m-p/11609#M8535 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>While those <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">groups (IP range\VLAN) are accessing internal resources, is the same traffic passing through the PAN firewall....?</SPAN></P><P></P><P>If so, then you can create a policy to block internal resources base on user-group or source IP subnet.</P><P></P><P><IMG alt="security-policy.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/11463_security-policy.JPG.jpg" style="width: 620px; height: 324px;" /></P><P></P><P>Thanks</P></BODY></HTML> Thu, 06 Feb 2014 03:36:18 GMT https://live.paloaltonetworks.com/t5/general-topics/restricting-users-to-internet-only/m-p/11609#M8535 HULK 2014-02-06T03:36:18Z https://live.paloaltonetworks.com/t5/general-topics/restricting-users-to-internet-only/m-p/11610#M8536 <HTML><HEAD></HEAD><BODY><P>If the layer 3 traffic is occurring on the Juniper or Cisco switches, you would need to implement the restrictions at that point of the traffic path.&nbsp; As Hulk notes, if the traffic reaches the Palo Alto before the destination then a rule here can restrict the access.&nbsp; But it sounds like you have internal layer 3 connections that are permitted without reaching the Palo Alto.</P><P></P><P>both Cisco and Juniper switches perform this function via packet based (not session based) filters.&nbsp; You create the allow filter and apply this to the layer 3 interface on the switch.</P><P></P><P>On the Juniper switches you would use the feature firewall filters applied to the RVI (Routed Vlan interface) on the switch.</P><P></P><P>Juniper Documentation</P><P><A href="http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config-guide-firewall-filter/config-guide-firewall-filter.html" title="http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config-guide-firewall-filter/config-guide-firewall-filter.html">Firewall Filters Configuration Guide - Technical Documentation - Support - Juniper Networks</A></P><P></P><P>Free Day One book on the feature:</P><P><A href="http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/configuring-junos-policies/" title="http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/configuring-junos-policies/">http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/configuring-junos-policies/</A></P><P></P><P>On the Cisco switches the feature is ACL (access control lists)</P><P></P><P>Cisco Documentation</P><P><A href="http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml" title="http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml">Configuring IP Access Lists - Cisco Systems</A></P></BODY></HTML> Sat, 08 Feb 2014 13:31:31 GMT https://live.paloaltonetworks.com/t5/general-topics/restricting-users-to-internet-only/m-p/11610#M8536 pulukas 2014-02-08T13:31:31Z