UserID

Reply
L1 Bithead

UserID

Hello

 

Is Userd Identification feature works only whith Active Directory users account or also with Computers accounts ? I would like to create a security rule who allow access on our internal ressources only for computer with an active computer account in our AD and for computer without an valid computer account or disable account, the traffic must be blocked.

 

BR

 

L6 Presenter

Re: UserID

You cannot use host level information to enforce security policy.  (ie computer group membership, or lack there of)

L7 Applicator

Re: UserID

@CARRIERJerome,

You could build something like this with a dynamic group, address objects, and the XML API fairly easily that you could update on a scheduled basis. However, as @Brandon_Wertz says this isn't something natively supported by the firewall. 

 

L6 Presenter

Re: UserID


@BPry wrote:

@CARRIERJerome,

You could build something like this with a dynamic group, address objects, and the XMLAPII fairly easily that you could update on a scheduled basis. However, as @Brandon_Wertz says this isn't somethingnativelyy supported by the firewall. 

 


Yeah there's definitely "a way" to do it, but it's not native feature set.  I actually had this requirement about 5 years back and got it implemented at my company using an EDL or back then it was a "dynamic block list."  

 

If you query the computer AD security group via a script, dump that script to a file, then perform an NSLOOKUP of those hostnames dump that IP address into another file.  This file which has the IP addresses can be used in the EDL on Palo.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!