Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Blocking All Internet Traffic from certain PCs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Blocking All Internet Traffic from certain PCs

L3 Networker

I have several older machines (XP) that are used for special purposes that cannot be be upgraded. Even the hardware cannot be upgraded or replaced (running on old dell dimenion desktops).  These machines do not need access to the internet but they are on the same domain and need to be able to communicate with other domain machines.  I want to make it where these machines cannot access any internet resources to reduce the change of malware/virus type activities.  I was thinking that I can setup a rule/URL filter, that would block access and add these machines IP addresses to the list.  Is this the best way to achieve this goal?

 

Thanks 

2 accepted solutions

Accepted Solutions

Hello,

Even a DHCP address with a reservation would be OK, as long as these IP's dont change. You wouldnt have to have a new URL policy, just one that blocks traffic from trust -> untrust. While you could get tricky with the config, I would say simple works best. 

 

Hope this helps!

View solution in original post

Hello,

Even in vwire mode you are still able to accomplish this. Each side of the vwire should have its own zone, i.e. trust and untrust (these are just names, can be anmed anything as long as it makes sense to you). Lets say the PC's you want to block internet from are on the trust side. Just create 2 policies such as:

 

Untitled.jpg 

 

 

Just like the ASA the PAN reads rules top down left to right. So as long as the rule matches the appropriate action is taken.

 

Hope that helps.

 

View solution in original post

13 REPLIES 13

L6 Presenter

@jharlow The only native was to do it is via IP (Static or FQDN entry).  Or if you've got a list that can be dynamically updated I've explained here how I've deployed a list of dynamically updating machines.

 

https://live.paloaltonetworks.com/t5/General-Topics/Can-I-enforce-security-based-in-AD-Computer-grou...

I am not sure if I follow you?  I have AD connected and use it to filter users for other policies.  If you were agreeing with me that a separate policy is the best way to block internet access and add the XP machine via their static IP, then we are on the same page.  Guess I wanted to check to see if there was a better way?  The URL filtering will allow me to filter by category. Right now I have a policy created that I set BLOCK on all types but not sure if that is best way on going about this. 

Hello,

Even a DHCP address with a reservation would be OK, as long as these IP's dont change. You wouldnt have to have a new URL policy, just one that blocks traffic from trust -> untrust. While you could get tricky with the config, I would say simple works best. 

 

Hope this helps!

Sorry...Your original question/statement didn't define all the potential variables so I was answering all of them...Albeit not very clearly.

 

You have a set of XP machines which you don't want them to access the Internet.  (These will have to have their own unique security rule unless you've got one already built which blocks access to the Internet)  

 

I was answering based upon them potentially being a dynamic IP / IP range.

 

@OtakarKlier 's suggestion is how I'd go.  If you were simpling from from "internal" to "Internet" then I wouldn't even bother with a URL filtering policy.  A simple L3 security policy with a "deny" action would be the easiest way to go.

 

 

Gotcha!  I dont know if I can use that method as of yet. Our PA is in transparent mode, as the only policies we have in place is for URL filtering and AV/Malware scanning. We have an older Cisco ASA that handles NAT.  The goal is to transition over to the PA, but getting there from where we are now ... 

 

Any case, your response helps me understand what I can do.  Thanks. 

Hello,

Even in vwire mode you are still able to accomplish this. Each side of the vwire should have its own zone, i.e. trust and untrust (these are just names, can be anmed anything as long as it makes sense to you). Lets say the PC's you want to block internet from are on the trust side. Just create 2 policies such as:

 

Untitled.jpg 

 

 

Just like the ASA the PAN reads rules top down left to right. So as long as the rule matches the appropriate action is taken.

 

Hope that helps.

 

@OtakarKlierCan we be friends? 🙂 Wow! That was easy enough and does exactly what I needed! Thanks!  Curious, is that basically what I need to do to make this a layer 3 device versus vwire, minus NAT rules?  Or a different way to ask, is all that is needed is to create the same NAT rules from the ASA on the PA and this is a L3 device or is there more to that? 

 

Just glad I could help. I know how new technologies and devices can be a bit frustrating at times. I also came from an ASA world and can say that I wont go back :). 

 

As for converting from vwire to a L3 device, yes there is more that needs to be accomplished. The way I have done it in the past is by having the two devices in parallel and manually entering the settings, NAT's and policies, from the ASA to the PAN. I do it this way so I can weed out the NAT's/Policies that are no longer needed. Also this helps me learn the new platform, in this case the PAN.

 

There is a migration tool available that many on this forum have used successfully (I have not). I would say the decision is yours based on not only NAT's/Policies but also objects and other configs you want to migrate over. I would say start a new post if you are looking for assistance with the Migration tool and someone who has used it will help you out.

 

Migration tool: https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Download-the-Migration-Tool/ta-p/56582

 

User guide: https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Migration-Tool-3-Info-and-Guide/ta-p/55...

 

Best practices: https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Migration-Tool-Best-Practices/ta-p/5665...

 

BTW welcome to the PAN world :).

Yeah, I would do it manually as well. The issue I have and I am assuming this; is making the change from vwire to L3 would require resetting the device (lossing all of my custom settings I have now; aka URL filtering rules.) Is that correct? 

Nope, you wont have to. all that stays...The changes come in with the Zones, Virtual Routers, Interface configurations etc.  

Any chance, this process is documented somewhere ? 

Hello,

Oviously these are just guides and each environment is different so caution is recommended.

 

https://live.paloaltonetworks.com/t5/General-Topics/Convert-from-vwire-to-layer-3-for-globalprotect/...

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-DHCP/ta-p/669...

 

There is not just one answer for this however.

 

Regards,

Excellent. Thanks. 

  • 2 accepted solutions
  • 6513 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!