Restricting users to Internet only

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restricting users to Internet only

L3 Networker

How can I restrict a certain group (ip range\VLAN) to internet only access.?  I don't want them to get to internal network shares with unfamiliar devices. We use Aruba Clear pass to authenticate and assign IPs and the PA 500 sits on the parameter. I know the answer is not the PA but probably a mixture of my other network devices.

Clearpass Device manager and Juniper 4200 switches with cisco switches in IDF

2 REPLIES 2

L7 Applicator

Hello,

While those groups (IP range\VLAN) are accessing internal resources, is the same traffic passing through the PAN firewall....?

If so, then you can create a policy to block internal resources base on user-group or source IP subnet.

security-policy.JPG.jpg

Thanks

L7 Applicator

If the layer 3 traffic is occurring on the Juniper or Cisco switches, you would need to implement the restrictions at that point of the traffic path.  As Hulk notes, if the traffic reaches the Palo Alto before the destination then a rule here can restrict the access.  But it sounds like you have internal layer 3 connections that are permitted without reaching the Palo Alto.

both Cisco and Juniper switches perform this function via packet based (not session based) filters.  You create the allow filter and apply this to the layer 3 interface on the switch.

On the Juniper switches you would use the feature firewall filters applied to the RVI (Routed Vlan interface) on the switch.

Juniper Documentation

Firewall Filters Configuration Guide - Technical Documentation - Support - Juniper Networks

Free Day One book on the feature:

http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/conf...

On the Cisco switches the feature is ACL (access control lists)

Cisco Documentation

Configuring IP Access Lists - Cisco Systems

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2124 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!