Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
01-23-2018 03:29 AM
We are attempting to use a computer based ldap group in the source-user field of a traffic policy on our palo alto 5020.
At the moment that policy is being ignored, and subsequent policies based just on the same source ip group are being acted on.
(if the source-user is set to any (removing group domain\wkstn_group) then the policy works)
We have been successfully using source-user fields based on used-id and user group membership.
Could you confirm whether or not it is possible to use computer group membership in the source user field
01-23-2018 04:24 AM
@dhirvin, hi.
i can't confirm your suspicians but perhaps somebody else can.
At a guess I would say "No" as the user ip mapping process relates to the user, not the device.
for globalprotect usage this can be resolved by HIP but thats probably no help to you.
01-23-2018 06:30 AM
Palo doesn't have a way currently to use computer based security groups for a "source host" policy enforcement.
01-24-2018 06:46 AM
That said if you're good with scripting and scanning AD you can do what we've done.
Viola You've got a security policy which is based on security group membership!! (We do this for a few sensitive use cases at my company)
01-24-2018 07:33 AM
wow... clever stuff @Brandon_Wertz.
are you able to update this dynamically.. or do you just assume the devices will always get the same ip address.....
Mick.
01-24-2018 07:55 AM
We do assume the computers have different IPs. Our script runs on a specified interval and updates the "known IP" for the machine.
So when DNS gets updated our script runs, updates the IP address in the text file. The EDL update on the firewall happens on a specified interval and it too gets an updated record of the "computer object."
01-24-2018 07:57 AM
perhaps I wasn't explicit enough - we need the policy applied to Workstation PC's that are part of a particular domain group.
01-24-2018 08:47 AM
yep, gotcha...
the PA has no real concept of a user, its just a tag related to an IP address.
it gets this tag from the AD security policy on DC's or similar..
so...
ip 10.10.10.10 is normally tagged to user fred via AD security log.
with @Brandon_Wertz suggestion the tag is no longer obtained from the security log relating to the user.
it will get the tag from the new file created with hostnames...
so...
ip 10.10.10.0 is now tagged to freds_pc
so the PA policy will now see freds_pc, not fred. as long as freds_pc is allowed in the policy, either directly or by group membership then it will be allowed, or of course denied.
perhaps @Brandon_Wertz can explain better as i have never used this as an option but can see how it works. (i hope)
Mick.
01-24-2018 10:21 AM
@dhirvin wrote:perhaps I wasn't explicit enough - we need the policy applied to Workstation PC's that are part of a particular domain group.
Maybe I confused you. What I described is exactly that.
Machine (call it PC A) which are a part of a computer group / container (call it "security team")
01-24-2018 10:32 AM
@Mick_Ball wrote:yep, gotcha...
the PA has no real concept of a user, its just a tag related to an IP address.
it gets this tag from the AD security policy on DC's or similar..
so...
ip 10.10.10.10 is normally tagged to user fred via AD security log.
with @Brandon_Wertz suggestion the tag is no longer obtained from the security log relating to the user.
it will get the tag from the new file created with hostnames...
so...
ip 10.10.10.0 is now tagged to freds_pc
so the PA policy will now see freds_pc, not fred. as long as freds_pc is allowed in the policy, either directly or by group membership then it will be allowed, or of course denied.
perhaps @Brandon_Wertz can explain better as i have never used this as an option but can see how it works. (i hope)
Mick.
Hopefully my further explination clears things up. We do use user-ID enforcement for policy, however that's used in different areas.
The process I'm describing for getting machine IPs in my scenario isn't tied to a particular user.
We querry the machine object in the script so regardless who may or may not be logged into the machine gets policy based upon the current IP of the machine name. (Just as you have pointed out)
01-24-2018 10:45 AM
Here are two screenshots.
One of the EDLs
Review of current security logs which take the intended security policy (Of note you can see one of the entries has an obfuscated user so you can see both "known" and "unkown" user match our intended security policy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
