08-02-2018 10:46 AM
I'm familiar with user based restrictions to outbound resources, such as youtube, but is it possible with say, a regex expression, to block access to a site like youtube through a list of machines that include a name like kiosk, as in cakiosk01, cokiosk02, flakiosk03, etc. ?
08-03-2018 12:37 PM
@murphyca What you actually asking for is - as already mentionned - not possible. But depending on the configurarion of your network and these computers there are some ways for this:
08-02-2018 11:57 AM
Hello,
In the past what I have done is put the kiosks/guest machines onto their own vlan and hten write the policy around the source IP's.
Regards,
08-03-2018 09:36 AM
Not something that you could do on the box. The VLAN option that @OtakarKlier presented is a good option. Otherwise you could simply collect the DHCP logs and look at which IP the machines are grabbing and add them to as an address-object with a given tag; this tag could then be used to build out a dynamic address-group. Doing this programatically would likely be best.
As an example:
Schedule some sort of scripting language like Python to scour the DHCP logs for the machine name. Once the machine name is found grab the IP from the log and use that value to update the address object with the recorded IP through the API. Then you just need to schedule the script to pull the DHCP logs every once in a while to keep everything updated.
08-03-2018 10:25 AM
Do you mean to block from a specific source by client hostname? The client's hostname is never sent as part of their HTTP request, so there would be nothing to trigger on there.
I'd recommend setting up user-id so that you have the username logged into the kiosks and can simply apply a URL filtering policy.
If you're going TO a site with the name "kiosk" in the host header, you can set up a custom vulnerability or spyware signature using the host header as the context and a regex of "..kiosk0.+" (not tested) that could trigger for you.
08-03-2018 12:37 PM
@murphyca What you actually asking for is - as already mentionned - not possible. But depending on the configurarion of your network and these computers there are some ways for this:
08-03-2018 03:08 PM
The challenge is over 400 remote locations feeding through corporate. The architecture would be difficult to change from that perspective. Possible, but difficult.
08-03-2018 03:12 PM
In speaking to PAN support, looks like we'd have to do a reverse DNS lookup for the internal hosts, which may be resource intensive. I will explore the ID of scraping the DHCP configuration though. That should be less resource intensive. The client state will be difficult to change at the moment. May be worth investigating though down the road as an alternative roadmap.
08-03-2018 03:25 PM
Hello,
One other thing I have done in the past is kind of is use user-id and have those kiosks and desk users excluded. What I mean is create a web browsing policy and select the source user as /domain-users, this way all domain users get the less restrictive policy. Then a second policy after that one for everything else and have a more restrictive policy. So if a user just see's a kiosk and opens the browser, they get the more restrictive policy since that IP is not mapped to a user-id.
Hope that makes sense.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
