Is there a simple way to prevent unauthenticated users from accessing the internet from the inside?
It is my understanding that you cannot negate AD Groups? True?
I was hoping to create a policy like this that would deny any unauthenticated users from accessing the internet.
Zone Address User Zone Address Action
LAN Any domain/domain users WAN Any Allow
Solved! Go to Solution.
The simplest being deny all access to 'unknown-user' in the "source user" field. That way only authenticated users will be able to gain access to whatever rules you permit whereas any unauthenticated traffic will be dropped.
Does that help?
If you setup a security policy like:
User: domain/domain users
followed with a (the built in default deny rule doesnt log):
Options: Log on session end
Then only clients from your LAN zone which are authenticated against the AD and belongs to the domain users group will be allowed to pass through.
Bill, I'm sorry. It's just "unknown" in the source user option:
Any traffic the PA is unable to correlate user <-> ip, using whichever authentication methods, is treated as "unknown" in the user field.
You can use the "unknown" user as an object for a Deny rule.
Hope it helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!