Specify policy by machine name/workgroup?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Specify policy by machine name/workgroup?

L2 Linker

Hey there --

So this is an odd thing that's probably it simple fix..  hoping anyway.  We have 99% of our PCs on the same subnet and domain, however several of these machines are owned by an outside company and are "borrowing" our internet link.  They are in their own workgroup (not on our domain), but share our address space (192.168.1.x/24). 

I have an OpenInternet policy that allows users in a specific domain security group full access to the internet;  and I have another policy (LimitedInternet) that has strict URL filtering for users not in that group.   My question -- is there a way to allow those workgroup computers (either by workgroup or machine name) access to the OpenInternet policy?

Thanks!

-- michael~

1 accepted solution

Accepted Solutions

L7 Applicator

Hello Sir,

As you have 99% of the traffic from domain users, So, any non-domain traffic the PA will not be unable to correlate user <-> ip, then it will treated as "unknown" in the user field.

You can use the "unknown" user as an object for a Deny/strict policy rule.

unknown-user.png

Thanks

View solution in original post

6 REPLIES 6

L7 Applicator

Hello Sir,

As you have 99% of the traffic from domain users, So, any non-domain traffic the PA will not be unable to correlate user <-> ip, then it will treated as "unknown" in the user field.

You can use the "unknown" user as an object for a Deny/strict policy rule.

unknown-user.png

Thanks

Thank you for the reply..  and that seems to work..   should I be concerned about the commit warning that the "Non-domainUsers shadows LimitedInternet"?

The policies are ordered as:

OpenInternet             sourceuser:  domain\openinternetgroup          LooseFiltering

Non-domainUsers     sourceuser: unknown                                    LooseFiltering

LimitedInternet          sourceuser: any                                           StrictFiltering

And is there any way to include both the domain group and unknown user in the same policy?

Thanks!

commit warning is not important.(if it is fixed by the support will be better )

to include domain group , there is no way except cloning the rule and select each.(as you did)

"Non-domainUsers shadows LimitedInternet"


Shadow means that your new rule for Non-domainUsers has match criteria that the rule LimitedInternet will never be used.  You have essentially replaced LimitedInternet with Non-domainUsers.


If this situation is acceptable then you should delete LimitedInternet. 


If this is not acceptable, then we need to look more closely at the match conditions for the two rules to determine how to separate the desired traffic and block what you wish to block.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

when you look for that 3 rule, if a user is in a domain group named abc, then it's session will match to Limitedİnternet.So shadow error is a bug.it does not have the same/much ciriteria.if you change the order of 2nd and 3rd rule.Than yes there will be a shadow situation there.

I for some reason didn't realize unknown was an available option. Thanks for the info!

  • 1 accepted solution
  • 3604 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!