03-01-2016 01:58 PM
Can Palo Alto use computers identified in a specific Active Directory OU in an ACL rule?
If so, how?
Thanks in advance.
03-01-2016 04:32 PM
Hello,
While the PAN cannot do this for 'computer' ojects in AD, it can perform this for 'users'. If you only have a few machines, one method could be to use dns names (dynamic) or just their IP addresses (static). I have come acrosas times where I needed a rule for a few machines and I ended up useing either their DNS names or IP's.
Hope this helps.
03-01-2016 04:32 PM
Hello,
While the PAN cannot do this for 'computer' ojects in AD, it can perform this for 'users'. If you only have a few machines, one method could be to use dns names (dynamic) or just their IP addresses (static). I have come acrosas times where I needed a rule for a few machines and I ended up useing either their DNS names or IP's.
Hope this helps.
03-02-2016 11:51 AM
Ok good deal. I assumed it may have to be IP based but we have OU's and thought there might be a more concise way to do this.
Thank you!
@OtakarKlier wrote:
Hello,
While the PAN cannot do this for 'computer' ojects in AD, it can perform this for 'users'. If you only have a few machines, one method could be to use dns names (dynamic) or just their IP addresses (static). I have come acrosas times where I needed a rule for a few machines and I ended up useing either their DNS names or IP's.
Hope this helps.
03-02-2016 01:11 PM
Hi Arthur,
welcome to the community.
Palo Alto Networks devices recognize groups in AD, and you can apply ACL to specific user groups:
More info on UserID: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id
I know that does not exactly answer your question, but PAN-OS offers different concepts for users (above mentioned UserID) and for devices (HIP checks). You can both identify users and verify health of devices they use for access by using GP agents internally: https://www.paloaltonetworks.com/documentation/70/globalprotect/globalprotect-admin-guide/use-host-i... and different policies can be assigned to users depending on the health of their underlying devices.
You can also group devices by IP addresses or their networks (you can define those under Objects > Addresses and also Address Groups, to aggregate further) and than apply ACLs to those specific hosts/networks.
Perhaps some of the mentioned can help you with your issue a bit more.
Best regards,
Luciano
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
