This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Re-evaluating current structure

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Re-evaluating current structure

MemphisBrothers
L3 Networker

‎03-05-2013 07:04 PM

I am currently managing users via AD groups but need a more granular approach.  I recently added a BYOD device manager to my network.  It divides my 2 main groups using a specific IP range.  If I use this method to manage users I will probably have to reset all my policies.  My question is should I start by blocking all processes then open just what we need.  Which rule should go first?

I have Students and faculy-Staff

Faculty-Staff can have network access, printers etc.   social media, streaming media, Netflix etc

Students with Auth machines can have network share access

No Social Media, games, (all the usual blocks)  limited (QOS) streaming media, no Netflix, Hulu TV.

What rules should I start with

0 Likes Likes
3 REPLIES 3

darren_g
L4 Transporter

‎03-06-2013 04:35 PM

Depends on how savage you want to be.

If you want to work up from a "deny everything" scenario, I would start with two rules for each affected zone (facility & students) or IP range.

First rule - allow selected applications. Remember, you need to start with the most OPEN rule first, because rules are processed sequentially, and if you make your first rule "deny everything", then all traffic will hit this rule, match, and nothing else will be processed.

Actually, you can do it with three rules - I'd do something like this

Source: Facility zone/IP range - Allow : required apps

Source : Student zone/IP range - Allow : required apps

Source : Any - Deny : Any

That way, anything which doesn't match the first two rules rull fall through to the "deny" rule and be blocked. The most open rule (the faculty one) should be the first security rule in your list, then the next most restrictive one (the student rule), then the complete deny rule.

If you want to be more open, it's a little more complex.

MemphisBrothers
L3 Networker
In response to darren_g

‎03-07-2013 07:01 AM

It is a step.  We have Spring Break coming up.  Perfect time to re design the policies.  I'll start with the Scorched earth policy and open from there.

0 Likes Likes

darren_g
L4 Transporter
In response to MemphisBrothers

‎03-07-2013 01:44 PM

If that's your policy, then go for it.

I work the other way around - I do three rules, but the final one is an allow any/any - but email me a report about it so I can slowly close loopholes.

I find that leads to less complaints when Fred Nerks favourite, business critical application suddenly stops working. 🙂

  • 2017 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks