01-14-2014 01:54 PM
Hey there --
So this is an odd thing that's probably it simple fix.. hoping anyway. We have 99% of our PCs on the same subnet and domain, however several of these machines are owned by an outside company and are "borrowing" our internet link. They are in their own workgroup (not on our domain), but share our address space (192.168.1.x/24).
I have an OpenInternet policy that allows users in a specific domain security group full access to the internet; and I have another policy (LimitedInternet) that has strict URL filtering for users not in that group. My question -- is there a way to allow those workgroup computers (either by workgroup or machine name) access to the OpenInternet policy?
Thanks!
-- michael~
01-14-2014 02:17 PM
Hello Sir,
As you have 99% of the traffic from domain users, So, any non-domain traffic the PA will not be unable to correlate user <-> ip, then it will treated as "unknown" in the user field.
You can use the "unknown" user as an object for a Deny/strict policy rule.
Thanks
01-14-2014 02:17 PM
Hello Sir,
As you have 99% of the traffic from domain users, So, any non-domain traffic the PA will not be unable to correlate user <-> ip, then it will treated as "unknown" in the user field.
You can use the "unknown" user as an object for a Deny/strict policy rule.
Thanks
01-15-2014 10:41 AM
Thank you for the reply.. and that seems to work.. should I be concerned about the commit warning that the "Non-domainUsers shadows LimitedInternet"?
The policies are ordered as:
OpenInternet sourceuser: domain\openinternetgroup LooseFiltering
Non-domainUsers sourceuser: unknown LooseFiltering
LimitedInternet sourceuser: any StrictFiltering
And is there any way to include both the domain group and unknown user in the same policy?
Thanks!
01-16-2014 01:43 AM
commit warning is not important.(if it is fixed by the support will be better )
to include domain group , there is no way except cloning the rule and select each.(as you did)
01-18-2014 04:20 AM
"Non-domainUsers shadows LimitedInternet"
Shadow means that your new rule for Non-domainUsers has match criteria that the rule LimitedInternet will never be used. You have essentially replaced LimitedInternet with Non-domainUsers.
If this situation is acceptable then you should delete LimitedInternet.
If this is not acceptable, then we need to look more closely at the match conditions for the two rules to determine how to separate the desired traffic and block what you wish to block.
01-18-2014 05:18 AM
when you look for that 3 rule, if a user is in a domain group named abc, then it's session will match to Limitedİnternet.So shadow error is a bug.it does not have the same/much ciriteria.if you change the order of 2nd and 3rd rule.Than yes there will be a shadow situation there.
01-18-2014 11:08 PM
I for some reason didn't realize unknown was an available option. Thanks for the info!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
