01-28-2019 03:08 AM
Hi,
Could someone please advise how I can limit internet access by user?
I would like the below
Block level 1 - blocks the bad stuff but allows everything else
Block level 2 - blocks everything apart from an allow list
I believe I have set Enable User-ID up and I have set 2 groups within AD and attached the users to those groups. I seem to be missing the last step though of linking the AD groups to the webfiltering object
Thanks
01-28-2019 05:45 AM
@Blueearthfoods wrote:Hi,
Could someone please advise how I can limit internet access by user?
I would like the below
Block level 1 - blocks the bad stuff but allows everything else
Block level 2 - blocks everything apart from an allow list
I believe I have set Enable User-ID up and I have set 2 groups within AD and attached the users to those groups. I seem to be missing the last step though of linking the AD groups to the webfiltering object
Thanks
Are your level 1 and 2 blocks intended to be applied to two distinct user groups?
To leverage AD controls you need to configure these areas:
Device --> Authentication Profile
Device --> User Identification
Device --> Server Profiles --> LDAP
01-28-2019 07:55 AM
Hey @Blueearthfoods
As a followup to @Brandon_Wertz message, you need to confirm you have the following User-ID concepts in place.
1. Can the firewall map IP addresses to usernames?
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to-users
2. Can the firewall map those usernames to groups?
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-users-to-groups
If both are met, you can simply build your security policy as you normally would but under the "Source User" you can specify that AD group.
At a high level for your requirement, you would have something like.
Security policy to allow traffic outbound if the source user group is "block level 1", attach the relevant security profiles to the rule to block the "bad stuff" including a URL filtering profile which is blocking the recommended categories: Phishing, Malware, Command and Control etc.
For the second requirement, you would create a new custom URL category for your whitelist, add all your sites there.
Add a new policy to allow traffic if they are going to this URL category for users in group "block level 2"
Add a new policy below this policy to block everything from the user group "block level 2"
Cheers,
Luke.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
