Create Policy based on workstation name and AD group membership?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Create Policy based on workstation name and AD group membership?

L1 Bithead

I'm wondering if there is a way to create a policy based on workstations in a certain AD group. 

Here's what I'm trying to accomplish...  I want to have a security group in our Active Directory, say "Privileged Workstations" for a name.  Any workstation that is a member of the "Privileged Workstations" group will have a static IP and will need to have access to applications that are outside of our normal scope of allowed applications.  My goal is to setup a sort of self service group for our server team so if a server needs access to LogMeIn, for example, they can simply add the server to the AD group and I won't need to make any changes on my Palo Alto itself.  I do not want to write my Policy based on username as the username for the servers is not consistently identified (unless there is a way to statically create a username to ip mapping?). 

Has anyone set anything up like this before?  Maybe I'm just missing something really easy, or maybe this just can't be accomplished. 

Any help would be appreciated.  Thanks.



L4 Transporter

Maybe you could create an "dynamic address object" and use it in the firewall rule. Then craft a script that reads the AD group and writes to the dynamic address object via XML API.

L4 Transporter

hi Paul,

when a user wants to get connect to for example LogMeIn then he is known on the AD-Server.  The security group in the policy can be used because the group is also known on the AD-Server (the user have to be a member of this group)

The PAN-Agent is looking into the log of AD-Server ( it is not necessary to use an AD-Server) and sends this data to the Palo Alto. so the PA knows the IP and no user or ip-address has to be used.  may the service or the app is changing.

Cheers Klaus

Thanks for the idea, this seems like it would probably work for me.  I'm not on 5.x yet but I'll look into an upgrade to potentially use this solution.

Hi Klaus -

Maybe my example of using LogMeIn wasn't the best example to use in this situation because that may require a user to go out and manually initiate a connection.  What we'll really be doing is allowing a vendor to remotely connect to certain PC's in our company via TeamViewer or a similar app.  It's possible that these machines won't actually be logged into by a user for months (they just sit there pulling and pushing data) and even when service is needed a user probably won't be logging into the machine before support tries to connect remotely.  Because user's won't login often (if at all) any solution using a username won't work for us since the username will most liekly . 

Maybe I misunderstood the solution you're proposing, if so just let me know.

Thanks for the response.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!