How to block unknown machines from traversing the network

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to block unknown machines from traversing the network

L2 Linker

Hi all. My question is how can I create a rule that blocks traffic from a computer I brought from home as opposed to from my work domain? 

 

I want to be able to see people that bring their own devices onto the network and then block access to the network as a whole. Is this do-able without Captive Portal?

 

Any help would be appreciated 🙂

10 REPLIES 10

Cyber Elite
Cyber Elite

Do you have UserID configured for work domain?

If yes then you can deny unknown users from accessing internal resources and internet (I would still permit to update applications so computers can download updates even if no-one has logged in).

 

You don't need to use Captive Portal for work domain as there are so many diferent options to get UserID.

 

User-ID.png

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

THANK YOU!!

I do have user-id up and running and I thought that I created a rule to make the Source User that is Unknown denied to all zones, but that didn't work. I was able to bring a home machine in and surf the network.

 

Essentially my rule said:
Source Zone: Trust
Source IP: ANY
Destination Zone: Trust
Destination IP: ANY
User: Unknown
Application: Any
Service: Any

I know I'm missing something. Hoping I can get there tomorrow 🙂

You should allow any user to get dhcp, dns and access domain controllers to authenticate before you block to anything else.

Also what are your test machine and destination machine IPs?

If they are in same subnet then this traffic does not pass firewall.

Do you have seperate zones to test with? For example from users zone to servers zone.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I am allowing all users to get ot dhcp, dns, and access domain controllers to authenticate but I'm als obeing told to not do Captive Portal 😕

I have two machines (one domain joined and one from home) and both can get on the network and go anywhere.

 

I have three zones to test with and then the Untrusted Zone>

I thought by setting the action to Deny for Uknown Users in every zone that I would be able to get it taken care of that way. However, that didn't work. Now I'm thinking it is because I had the rule before the DNS, DHCP, WINS, and Domain Controller rules.

In your initial example both Source and Destination zones were the same.

Source Zone: Trust
Destination Zone: Trust

 

In this case traffic usually does not pass firewall as traffic inside same subnet goes from source to destination through switch not firewall.

 

Change destination zone to Untrust and try to access internet.

 

Did similar test and works fine.

ping 1.PNGping 2.PNG

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Community Team Member

Hi @Roshawn,

 

I might be going overboard here but you could configure a HIP-based policy enforcement to do this.

That said, it requires additional licenses and requires quite a bit of extra configuration :

 

 

Use host information in policy enforcement

 

Cheers,

-Kiwi

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

@Roshawn,

It honestly sounds like your asking a little bit too much from your firewall, as far as blocking interzone communication goes. The way that @Raido_Rattameister mentioned works great as long as the firewall can see the traffic. The example rule that you have laid out really isn't going to work as the traffic from 'Trust' to 'Trust', or any interzone traffic in general, isn't going to traverse the firewall in most situations. 

So as an example lets say I have the following zones on my firewall 'Untrust', 'Trust', 'DMZ', and a 'Datacenter' zone. The rules that I would really want to be put into the firewall would look something like this. 

set rulebase security rules Test from Trust to [ Untrust DMZ Datacenter ] source any source-user unknown destination any action deny log-end yes

The above rule would deny any traffic that isn't tied to a user id from accessing the untrust, DMZ, or Datacenter zones. You could put your Trust zone in this rule as well, but again in most situations you won't see any Trust to Trust traffic anyways. 

Depending on how the rest of your network looks, you could then go through and make the same rule but set the from or source zone as another zone. I would be a bit more careful when doing this as things like the DMZ zone may not actually have a user-id associated with the servers, same for the Datacenter zone. Essentially when doing this you need to be sure that the zone your are disallowing without a user-id mapping, doesn't actually contain any devices that wouldn't serve a user-id and are still expected to maintain connectivity. 

@Raido_Rattameister , @kiwi and @BPryI appreciate all the help 🙂 I figured it would be an uphill battle with this specific task. I appreciate all the help and insight into my issue. I will update you all with what happens going forward 🙂

We looked at this scenario and found that a prodcut like Cisco ISE or similar Network Access Control product would do this.  Cost prohibitive for us, so we just have to live with it for now.  I would much prefer to know who is coming and going on the wired / wireless networks here.

 

You could force intrazone traffic through firewall with private vlans but they can cause other issues.

For example I could not get Lync working with private vlans some years ago and looks like Lync was not designed to work that way.

 

https://social.technet.microsoft.com/Forums/ie/en-US/a41db525-f206-412d-8b24-3a6ff3f7efc8/lync-and-p...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 5423 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!