Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-14-2013 01:28 AM
Is it possible to block outgoing traffic, from an active-directory group containing machines?
blocking traffic by username works fine, but i want to use the machine ad group rather than entering all machines by fqdn or ip in an address group of objects on my pa.
i'm using a pa-3020 on pan-os 5.0.1
thanks
01-14-2013 09:55 AM
This is not possible as user-ip-mapping is done only for Active directory users and not the for the Computers. So it is not possible to block the traffic from machines in an AD group.
01-14-2013 09:55 AM
This is not possible as user-ip-mapping is done only for Active directory users and not the for the Computers. So it is not possible to block the traffic from machines in an AD group.
01-14-2013 11:33 AM
What do you think is the probability to see this in future or is there perhaps already an active request for enhancement available?
Because it would be really nice if one could combine userid and machineid when setting up rules.
01-15-2013 12:05 AM
this whould be a really nice feature. i've only seen that on my checkpoint systems, appliances from CS or BC are missing that feature too.
03-24-2021 05:59 AM
Crap this thread is from 2013 and Palo appears to still not be able to map AD Machines for use?
That is going to make this migration from CheckPoint a lot more work and completely change our processes for allowing the help desk to take care of server internet access requests without the network group needing to be involved! 😞
Honestly I am not sure why this hasn't been done as the CheckPoint Identity Collector gathers AD security the same way as the Palo Windows User-ID Agent is... CheckPoint gets the needed information and is it able to do AD Machine mappings so Machines and Machine Groups can be used in access policies.
Shouldn't the Palo User-ID Agent be capable of the same?
05-06-2021 07:34 PM
Could you also please provide me any documentation on which I can divert the traffic from a group of users in Active Directory to a specific network.
We have two internet connection and I am trying to splitting the group of users in Active Directory to different internet connection.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
