06-01-2011 07:18 AM
Our school district has started purchasing mobile devices, the iPad2's and some Xooms.
I've noticed in the Monitor logs that they don’t always fall until the default rule? So far two have been using the Admin rule which opens all but Adult content. These devices are not logging into the domain, they do not requester with DNS but they do get their IP's from DHCP. My life would be great if there was an App for that but so far, none.
Can you tell me if there anyone is currently working of creating one or tell me what are the best ways to ensure these devices do not get access to any rule other than the default rule unless its one of Supers who are getting them, I do need to see how best to get them into their own rule also.
Anyone, I need help!
Thanks for any replies.
06-01-2011 08:29 AM
@FN: if a device is not going to logon to the domain (smartphone, tablet, etc) then I would advise using the Captive Portal feature of the PAN device to identify unknown users and create a user-to-ip-mapping for their device(s).
Documentation for Captive Portal setup can be found here:
https://live.paloaltonetworks.com/docs/DOC-1630
-Benjamin
06-01-2011 07:32 AM
FN:
If I didn't know better, I would say that the tablet users are sometimes picking up a DHCP address that was recently in use by a domain user which has not yet timed out the user-to-ip-mapping.
Your situation may require a re-examination of the timer settings for your Pan Agent to reduce the chances that a non-domain member device will gain access to the network and be incorrectly identified.
For example:
If your Pan Agent "Age-out Timeout" is set to 10 hours
User "Principal" logs in @ 9am and actively uses his computer until noon. @ Noon Principal goes offsite to a meeting and takes his laptop with him. @ this point in time the Age-out Timeout for Principal's user-to-ip-mapping has a minimum of 7 hours remaining (possibly longer if the user had performed any activities that renewed the timer value).
@ 1PM a tablet user requests a DHCP address and happens to get the IP that was being used by Principal during the morning. @ this point the Pan Device will still see this IP as mapped to "Principal" and apply policies accordingly.
Some environments do benefit from using Netbios or WMI probing to reduce the chances that the example scenario above will occur, but this will require that all domain member computers allow Netbios or WMI probing because a failed probe event will result in the IP being marked as _unknown_ and security policies will be applied based upon this identification.
-Benjamin
06-01-2011 08:12 AM
What would be the impact on the PA Devices and the AD servers the agent queries should the timer be set to a lower value?
Marc
06-01-2011 08:23 AM
That most helpful and I am looking into it. But some of these devices are going to used by staff who like myself have our own URL Filtering Profiles which allows greater internet access. Is there a way that Palo can see these devices for what they are and assign them to the correct URL Filtering Profile?
We locked down who has access to our access points so anyone with one of these devices will fall within a group with more internet access like our District Superintendent.
06-01-2011 08:26 AM
@MT: The firewall queries the PAN Agent(s) for updates every two seconds and when an unknown IP from a security zone with user identification enabled attempts to pass traffic through the device.
Enabling Netbios/WMI probing will increase the amount of traffic between the Pan Agent server and the subnets that it is configured to track for user-to-ip-mapping. The amount of traffic will be based upon the number of users who logon each day and the Netbios/WMI probe timer value.
-Benjamin
06-01-2011 08:29 AM
@FN: if a device is not going to logon to the domain (smartphone, tablet, etc) then I would advise using the Captive Portal feature of the PAN device to identify unknown users and create a user-to-ip-mapping for their device(s).
Documentation for Captive Portal setup can be found here:
https://live.paloaltonetworks.com/docs/DOC-1630
-Benjamin
06-01-2011 08:35 AM
At this time we know of no way for these devices to log into the domain (No app for that) I will take a look at this.
I take it that the Palo device can not see these devices for what they are in the ACC?
06-01-2011 08:45 AM
@FN:
Captive Portal will prompt the users of these devices to provide logon information in a web browser SSL session. Any smartphone or tablet will be able to perform this task.
If a user is not identified then the ACC reporting will only show the IP address.
-Benjamin
06-01-2011 08:50 AM
Thanks Benjamin,
I take it that only unknow user accounts will get the prompt? What happens when we have vistors who wouldnt have an account in the domain? We do not have or use anytype of guest account. We do sometimes allow a device like a laptop to connect through our network to the internet and use the Default profile.
06-01-2011 08:56 AM
@FN:
unknown IP addresses will get the Captive Portal page.
login authentication is done via local DB, RADIUS, LDAP or Kerberos (Kerb only an option on PANOS 4.0 and higher).
for users who are guests you would need to have a guest account available.
-Benjamin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
