blocking machines from AD-group

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
skemena
L1 Bithead

blocking machines from AD-group

Is it possible to block outgoing traffic, from an active-directory group containing machines?

blocking traffic by username works fine, but i want to use the machine ad group rather than entering all machines by fqdn or ip in an address group of objects on my pa.

i'm using a pa-3020 on pan-os 5.0.1

thanks


Accepted Solutions
sdurga
L6 Presenter

This is not possible as user-ip-mapping is done only for Active directory users and not the for the Computers. So it is not possible to block the traffic from machines in an AD group.

View solution in original post


All Replies
sdurga
L6 Presenter

This is not possible as user-ip-mapping is done only for Active directory users and not the for the Computers. So it is not possible to block the traffic from machines in an AD group.

View solution in original post

mikand
L6 Presenter

What do you think is the probability to see this in future or is there perhaps already an active request for enhancement available?

Because it would be really nice if one could combine userid and machineid when setting up rules.

skemena
L1 Bithead

this whould be a really nice feature. i've only seen that on my checkpoint systems, appliances from CS or BC are missing that feature too.

DIEHARD
L0 Member

Crap this thread is from 2013 and Palo appears to still not be able to map AD Machines for use?

That is going to make this migration from CheckPoint a lot more work and completely change our processes for allowing the help desk to take care of server internet access requests without the network group needing to be involved!

 

Honestly I am not sure why this hasn't been done as the CheckPoint Identity Collector gathers AD security the same way as the Palo Windows User-ID Agent is... CheckPoint gets the needed information and is it able to do AD Machine mappings so Machines and Machine Groups can be used in access policies.

 

Shouldn't the Palo User-ID Agent be capable of the same?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!