Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Create User based Internet access rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Create User based Internet access rule

L0 Member

Hi, 

 

Could someone please advise how I can limit internet access by user? 

 

I would like the below 

 

Block level 1 - blocks the bad stuff but allows everything else 

Block level 2 - blocks everything apart from an allow list 

 

I believe I have set Enable User-ID up and I have set 2 groups within AD and attached the users to those groups. I seem to be missing the last step though of linking the AD groups to the webfiltering object 

 

Thanks 

2 REPLIES 2

L6 Presenter

@Blueearthfoods wrote:

Hi, 

 

Could someone please advise how I can limit internet access by user? 

 

I would like the below 

 

Block level 1 - blocks the bad stuff but allows everything else 

Block level 2 - blocks everything apart from an allow list 

 

I believe I have set Enable User-ID up and I have set 2 groups within AD and attached the users to those groups. I seem to be missing the last step though of linking the AD groups to the webfiltering object 

 

Thanks 


 

 

Are your level 1 and 2 blocks intended to be applied to two distinct user groups?  

 

To leverage AD controls you need to configure these areas:

 

Device --> Authentication Profile

Device --> User Identification

Device --> Server Profiles --> LDAP

L5 Sessionator

Hey @Blueearthfoods

 

As a followup to @Brandon_Wertz message, you need to confirm you have the following User-ID concepts in place.

 

1. Can the firewall map IP addresses to usernames?

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to-users

 

2. Can the firewall map those usernames to groups?

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-users-to-groups

 

If both are met, you can simply build your security policy as you normally would but under the "Source User" you can specify that AD group.

 

At a high level for your requirement, you would have something like.

 

Security policy to allow traffic outbound if the source user group is "block level 1", attach the relevant security profiles to the rule to block the "bad stuff" including a URL filtering profile which is blocking the recommended categories: Phishing, Malware, Command and Control etc.

 

https://docs.paloaltonetworks.com/best-practices/8-1/internet-gateway-best-practices/best-practice-i...

 

For the second requirement, you would create a new custom URL category for your whitelist, add all your sites there.

Add a new policy to allow traffic if they are going to this URL category for users in group "block level 2"

Add a new policy below this policy to block everything from the user group "block level 2"

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-c...

 

Cheers,

Luke.

 

  • 3728 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!