Active directory OU as selection for users security policy

cancel
Showing results for 
Search instead for 
Did you mean: 

Active directory OU as selection for users security policy

L1 Bithead

Hello all

I am new in Palo Alto devices and PanOS, so here is my questions.

Is there a way to select an active directory OU as a source user in a security policy?

(Or something else to manage it)

Working with Forcepoint they apply policies to a whole OU (and also users and groups) 

Thanks in advanced

2 ACCEPTED SOLUTIONS

Accepted Solutions

L6 Presenter

Thank you @ChrisKarakostas for posting question.

 

To my knowledge it is not possible. In the security policy, you can use only AD Groups or Users.

Here is the link for Documentation: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-users-to-groups.html You can configure the Base-DN in LDAP profile for entire AD Domain, however when you configure Group Mapping Setting only Group Objects and User Objects are available and this is what you will end up using as source user in a security policy.

 

If you are setting this up for the first time from scratch, below are a few KBs for reference:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGOCA0

 

Note: After you complete the LDAP profile and Group Mapping Setting with user/group include list, you will have to commit it first before you can select user/group as a source in the security policy.

 

If you get stuck with the setup do not hesitate to post your problem here, I will do my best to help.

 

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.

View solution in original post

L6 Presenter

Thank you for quick reply @ChrisKarakostas 

 

I see. There might be other way around it, but probably the easiest one might be to configure your firewall to fetch IP addresses from EDL Hosting Service and configure this EDL as a destination in the policy you just created. Below links are covering more details:

 

https://live.paloaltonetworks.com/t5/blogs/edl-hosting-service-helps-to-safely-enable-microsoft-365/...

https://docs.paloaltonetworks.com/resources/edl-hosting-service.html

 

The actual process to configure it should be straight forward:

1. Import relevant certificates and configure EDL itself: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/use-an-external-dynamic-list-in-po...

 

2. Add EDL to security policy as a destination and remove destination any.

 

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.

View solution in original post

8 REPLIES 8

L6 Presenter

Thank you @ChrisKarakostas for posting question.

 

To my knowledge it is not possible. In the security policy, you can use only AD Groups or Users.

Here is the link for Documentation: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-users-to-groups.html You can configure the Base-DN in LDAP profile for entire AD Domain, however when you configure Group Mapping Setting only Group Objects and User Objects are available and this is what you will end up using as source user in a security policy.

 

If you are setting this up for the first time from scratch, below are a few KBs for reference:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGOCA0

 

Note: After you complete the LDAP profile and Group Mapping Setting with user/group include list, you will have to commit it first before you can select user/group as a source in the security policy.

 

If you get stuck with the setup do not hesitate to post your problem here, I will do my best to help.

 

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Ok , it is clear for the user-group selection.

Now let me ask for another subject.

I'm trying to create a security rule to permit only microsoft365 appications, and nothing else for a specific group of users.

I choose the relevant app-id with their depentencies , application-default in services,action allow, but that policy permits also every web browsing traffic.

No other policies ,except the default implicit ones

Where am i wrong

L6 Presenter

Thank you @ChrisKarakostas for the update.

 

My best guess is following, if you have added the application: ms-office-365, then one of the dependency is: web-browsing. By adding this dependency, you have also enabled web browsing traffic:

 

PavelK_0-1631350055923.png

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.

L1 Bithead

I added it.

But my problem is that i DON'T want further internet browsing except microsoft365

With my policy , internet browsing if permitted at all

L6 Presenter

Thank you for quick reply @ChrisKarakostas 

 

I see. There might be other way around it, but probably the easiest one might be to configure your firewall to fetch IP addresses from EDL Hosting Service and configure this EDL as a destination in the policy you just created. Below links are covering more details:

 

https://live.paloaltonetworks.com/t5/blogs/edl-hosting-service-helps-to-safely-enable-microsoft-365/...

https://docs.paloaltonetworks.com/resources/edl-hosting-service.html

 

The actual process to configure it should be straight forward:

1. Import relevant certificates and configure EDL itself: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/use-an-external-dynamic-list-in-po...

 

2. Add EDL to security policy as a destination and remove destination any.

 

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.

It works.

Thanks again PavelK

Hi @ChrisKarakostas ,

 

Regarding the Goup Mapping, @PavelK  already provided excelent answer, to which I wanted to add:

You can check the "Custom Group" feature, which allowes you to create LDAP filter, based on which firewall will create user group that can be referenced in a rule - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ1CAK

 

That's very helpfull

Thanks

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!