AD OU / ACL Rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AD OU / ACL Rule

L0 Member

Can Palo Alto use computers identified in a specific Active Directory OU in an ACL rule?

 

If so, how?

 

Thanks in advance.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

While the PAN cannot do this for 'computer' ojects in AD, it can perform this for 'users'. If you only have a few machines, one method could be to use dns names (dynamic) or just their IP addresses (static). I have come acrosas times where I needed a rule for a few machines and I ended up useing either their DNS names or IP's.

 

Hope this helps.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

While the PAN cannot do this for 'computer' ojects in AD, it can perform this for 'users'. If you only have a few machines, one method could be to use dns names (dynamic) or just their IP addresses (static). I have come acrosas times where I needed a rule for a few machines and I ended up useing either their DNS names or IP's.

 

Hope this helps.

Ok good deal. I assumed it may have to be IP based but we have OU's and thought there might be a more concise way to do this.

 

Thank you!


@OtakarKlier wrote:

Hello,

While the PAN cannot do this for 'computer' ojects in AD, it can perform this for 'users'. If you only have a few machines, one method could be to use dns names (dynamic) or just their IP addresses (static). I have come acrosas times where I needed a rule for a few machines and I ended up useing either their DNS names or IP's.

 

Hope this helps.


 

L5 Sessionator

Hi Arthur,

 

welcome to the community.

 

Palo Alto Networks devices recognize groups in AD, and you can apply ACL to specific user groups:

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id/enable-user-and-group-based-...

More info on UserID: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id

 

I know that does not exactly answer your question, but PAN-OS offers different concepts for users (above mentioned UserID) and for devices (HIP checks). You can both identify users and verify health of devices they use for access by using GP agents internally: https://www.paloaltonetworks.com/documentation/70/globalprotect/globalprotect-admin-guide/use-host-i... and different policies can be assigned to users depending on the health of their underlying devices.

 

You can also group devices by IP addresses or their networks (you can define those under Objects > Addresses and also Address Groups, to aggregate further) and than apply ACLs to those specific hosts/networks.

 

Perhaps some of the mentioned can help you with your issue a bit more.

 

Best regards,

Luciano

  • 1 accepted solution
  • 3028 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!