topic Re: Active directory OU as selection for users security policy in General Topics

Active directory OU as selection for users security policy

ChrisKarakostas — Wed, 08 Sep 2021 15:43:46 GMT

Hello all

I am new in Palo Alto devices and PanOS, so here is my questions.

Is there a way to select an active directory OU as a source user in a security policy?

(Or something else to manage it)

Working with Forcepoint they apply policies to a whole OU (and also users and groups)

Thanks in advanced

Re: Active directory OU as selection for users security policy

PavelK — Wed, 08 Sep 2021 22:10:19 GMT

Thank you @ChrisKarakostas for posting question.

To my knowledge it is not possible. In the security policy, you can use only AD Groups or Users.

Here is the link for Documentation: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-users-to-groups.html You can configure the Base-DN in LDAP profile for entire AD Domain, however when you configure Group Mapping Setting only Group Objects and User Objects are available and this is what you will end up using as source user in a security policy.

If you are setting this up for the first time from scratch, below are a few KBs for reference:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGOCA0

Note: After you complete the LDAP profile and Group Mapping Setting with user/group include list, you will have to commit it first before you can select user/group as a source in the security policy.

If you get stuck with the setup do not hesitate to post your problem here, I will do my best to help.

Kind Regards

Pavel

Re: Active directory OU as selection for users security policy

ChrisKarakostas — Sat, 11 Sep 2021 07:52:45 GMT

Ok , it is clear for the user-group selection.

Now let me ask for another subject.

I'm trying to create a security rule to permit only microsoft365 appications, and nothing else for a specific group of users.

I choose the relevant app-id with their depentencies , application-default in services,action allow, but that policy permits also every web browsing traffic.

No other policies ,except the default implicit ones

Where am i wrong

Re: Active directory OU as selection for users security policy

PavelK — Sat, 11 Sep 2021 08:50:47 GMT

Thank you @ChrisKarakostas for the update.

My best guess is following, if you have added the application: ms-office-365, then one of the dependency is: web-browsing. By adding this dependency, you have also enabled web browsing traffic:

Kind Regards

Pavel

Re: Active directory OU as selection for users security policy

ChrisKarakostas — Sat, 11 Sep 2021 09:16:20 GMT

I added it.

But my problem is that i DON'T want further internet browsing except microsoft365

With my policy , internet browsing if permitted at all

Re: Active directory OU as selection for users security policy

PavelK — Sat, 11 Sep 2021 10:10:25 GMT

Thank you for quick reply @ChrisKarakostas

I see. There might be other way around it, but probably the easiest one might be to configure your firewall to fetch IP addresses from EDL Hosting Service and configure this EDL as a destination in the policy you just created. Below links are covering more details:

https://live.paloaltonetworks.com/t5/blogs/edl-hosting-service-helps-to-safely-enable-microsoft-365/ba-p/410972

https://docs.paloaltonetworks.com/resources/edl-hosting-service.html

The actual process to configure it should be straight forward:

1. Import relevant certificates and configure EDL itself: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/configure-the-firewall-to-access-an-external-dynamic-list-from-the-edl-hosting-service/create-an-external-dynamic-list-using-the-edl-hosting-service.html#id846c30d3-765e-4e50-8466-90431d2c64b6

2. Add EDL to security policy as a destination and remove destination any.

Kind Regards

Pavel

Re: Active directory OU as selection for users security policy

ChrisKarakostas — Sat, 11 Sep 2021 17:16:08 GMT

It works.

Thanks again PavelK

Re: Active directory OU as selection for users security policy

aleksandar.astardzhiev — Mon, 13 Sep 2021 08:19:12 GMT

Hi @ChrisKarakostas ,

Regarding the Goup Mapping, @PavelK already provided excelent answer, to which I wanted to add:

You can check the "Custom Group" feature, which allowes you to create LDAP filter, based on which firewall will create user group that can be referenced in a rule - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ1CAK

Re: Active directory OU as selection for users security policy

ChrisKarakostas — Mon, 13 Sep 2021 12:29:08 GMT

That's very helpfull

Thanks Astardzhiev