machine authentication

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted

machine authentication

hello!

we have a need to identify user machines associated with a domain. specifically, we want to create security policies based upon domain membership. is that even possible, and how would we achieve this functionality?

thnx!

Highlighted
L2 Linker

Highlighted

so basically, just use the userid agent as usual...

when creating a security policy, under source user, append the $ sign at the end (ie mydomain\computername$)

but what if we do not want to list every single computer, just filter the domain? as far as i know, there is no wildcard for this, you can not enter mydomain\*$

Highlighted
L7 Applicator

Hello Sir,

You can crete a user group in your AD server, which will include all domain users and map under Device >> User Identification >> Group-mapping. After that, you can refer that group under security policy.

Thanks

Highlighted

i feel like the message is not really going through...

i am not asking about identification of users (humans), i'm asking about identifying computers (machines) that are domain members. i would like to have a set of policies applied for all COMPUTERS that are members and a different set for non-domain COMPUTERS (for example guests on the network)

Highlighted
Not applicable

Are you trying to map IPs to both users and computers, so that if it is the computer making the request, it shows up as the computer account instead of the user that was last logged in/cached on that IP? Just trying to help clarify, so I don't actually have an answer for the question, but this is what I understood from your original question.

Highlighted

yes, that is what i'm trying to do! i am not interested in the logged in user, just the computer (and they are NOT terminals).

i know it sounds silly, but customers are silly sometimes....

Highlighted
L3 Networker

one way to identify if pc is domain or non-domain is to make use of the HIP profiles and use the hip profile in the security policy. To get the HIP report, you will have to configure gloabal protect for internal gateway . You will need Global protect portal license for internal gateways https://live.paloaltonetworks.com/docs/DOC-3930  - How to Configure Internal GlobalProtect Only https://live.paloaltonetworks.com/docs/DOC-6066  - configuring HIP profiles to use in security policies

Highlighted
Not applicable

HIP has nothing to do with the request. What he is looking to do is to differentiate traffic that is initiated by the SYSTEM account, and other non user accounts, versus what is initiated by the user accounts. This way he can have a policy that says "group of computer" can access APP, but the user initiated traffic doesn't necessarily have to be allowed to do that.

It's one thing to associate a user to an IP, which is what is currently done. What he is looking for is to associate TRAFFIC to a user.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!