This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Advise on using AD user-id in local PA groups?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Advise on using AD user-id in local PA groups?

zthiel
L2 Linker

‎04-10-2019 11:39 AM

I am struggling with utilizing ActiveDirectory groups in firewall policy. My concern is then our AD administrators have control over transversing our firewall policy. Generally speaking say for example we have a FW policy setup where AD group ServerAdmins has <some type of> to a resource, they (the AD administrator) could very easily throw any user into that group thus giving sed person access to the resource. However I do love the user-ID capabilities and want to leverage that but it gets tideous having individiaul users defined in policy.

 

So my thought\question is if I could have a locally defined PA group (that I administrator) this would allow me to add the ActiveDirectory defined users into this group and then use this group in FW policy. Now I'm getting the benefits of user-ID and efficiency of using groups in firewall policy.

 

Curious if this is at all possible or if anyone else has any other options\ideas?

0 Likes Likes
3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎04-10-2019 12:03 PM

Hello,

Yes this could be an issue. What we did was implement compensating controls. We have our security analysts review the revious days SIEM reports for users added/removed from certain groups. If there is a change, then a support ticket needs to have been entered for the correct action, i.e. user B was added to group F for reason Y. I can also see how this could become a tedious process in a large environment but reports can be substituted for alerts/alarms that need to be reviewed.

 

If you go with a local user/group the end user now needs to have those credentials and this can be tedious as well for the firewall admins. 

 

Hope that helps.

0 Likes Likes

Mick_Ball
L7 Applicator

‎04-10-2019 10:26 PM

Similar issue for us, we are very restrictive on file uploading and block all webmail.

 

to get around the AD admin issues mentioned we have policies that overide some restrictions (where needed) and just add the users direct to that policy.

 

its no different than having local groups but if you have many policies that are an issue then yes groups will just save you entering individual names.

 

 

0 Likes Likes

Mick_Ball
L7 Applicator
In response to Mick_Ball

‎04-10-2019 10:47 PM

Oops sorry @zthiel , i just noticed your comments on individual users....

0 Likes Likes
  • 2361 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks