This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Restricting users to Internet only

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Restricting users to Internet only

MemphisBrothers
L3 Networker

‎02-05-2014 06:54 PM

How can I restrict a certain group (ip range\VLAN) to internet only access.?  I don't want them to get to internal network shares with unfamiliar devices. We use Aruba Clear pass to authenticate and assign IPs and the PA 500 sits on the parameter. I know the answer is not the PA but probably a mixture of my other network devices.

Clearpass Device manager and Juniper 4200 switches with cisco switches in IDF

0 Likes Likes
2 REPLIES 2

HULK
L7 Applicator

‎02-05-2014 07:36 PM

Hello,

While those groups (IP range\VLAN) are accessing internal resources, is the same traffic passing through the PAN firewall....?

If so, then you can create a policy to block internal resources base on user-group or source IP subnet.

security-policy.JPG.jpg

Thanks

0 Likes Likes

pulukas
L7 Applicator

‎02-08-2014 05:31 AM

If the layer 3 traffic is occurring on the Juniper or Cisco switches, you would need to implement the restrictions at that point of the traffic path.  As Hulk notes, if the traffic reaches the Palo Alto before the destination then a rule here can restrict the access.  But it sounds like you have internal layer 3 connections that are permitted without reaching the Palo Alto.

both Cisco and Juniper switches perform this function via packet based (not session based) filters.  You create the allow filter and apply this to the layer 3 interface on the switch.

On the Juniper switches you would use the feature firewall filters applied to the RVI (Routed Vlan interface) on the switch.

Juniper Documentation

Firewall Filters Configuration Guide - Technical Documentation - Support - Juniper Networks

Free Day One book on the feature:

http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/conf...

On the Cisco switches the feature is ACL (access control lists)

Cisco Documentation

Configuring IP Access Lists - Cisco Systems

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes
  • 1791 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks