03-26-2019 11:43 PM
Hello
Is Userd Identification feature works only whith Active Directory users account or also with Computers accounts ? I would like to create a security rule who allow access on our internal ressources only for computer with an active computer account in our AD and for computer without an valid computer account or disable account, the traffic must be blocked.
BR
03-27-2019 10:26 AM
You cannot use host level information to enforce security policy. (ie computer group membership, or lack there of)
03-28-2019 02:09 PM
You could build something like this with a dynamic group, address objects, and the XML API fairly easily that you could update on a scheduled basis. However, as @Brandon_Wertz says this isn't something natively supported by the firewall.
03-28-2019 02:15 PM - edited 03-28-2019 02:25 PM
@BPry wrote:You could build something like this with a dynamic group, address objects, and the XMLAPII fairly easily that you could update on a scheduled basis. However, as @Brandon_Wertz says this isn't somethingnativelyy supported by the firewall.
Yeah there's definitely "a way" to do it, but it's not native feature set. I actually had this requirement about 5 years back and got it implemented at my company using an EDL or back then it was a "dynamic block list."
If you query the computer AD security group via a script, dump that script to a file, then perform an NSLOOKUP of those hostnames dump that IP address into another file. This file which has the IP addresses can be used in the EDL on Palo.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
