07-31-2023 11:54 PM
We have over 200 users on a network, and IP addresses are assigned using DHCP. However, we have a customer request to allow internet access on ports 80 and 443 for specific individuals(may be 50 or more) via the Paloalto firewall. Please review and confirm the various configuration options.
08-01-2023 03:38 AM
Hi there,
Is there a 1:1 mapping between users and devices, or can the users log into multiple devices? This would be a good usecase for User-ID (User-ID Overview (paloaltonetworks.com)) where you can define Security Policy based on user/ group.
Another alternative would be an 802.1x solution on the edge ports of your network allowing you to place certain devices/ users in a specific VLAN, which can then have a specific security policy applied to on the firewall.
Since you mention a DHCP based solution, then we can assume there must be a 1:1 mapping between the user and devices. The solution here is to logically divide a subnet. Say you have a DHCP scope for a /24 subnet, then carve out a /26 and use that for static reservations, eg:
192.168.1.0/24
Reserved: 192.168.1.0/26
DHCP scope allocation: 192.168.1.64-192.168.1.250
This will give you 62 useable host addresses, which you can use for static reservations once you have gathered all of the device MAC addresses. You can then create an address object for 192.168.1.0/26 and use it in whatever punitive policy you require.
cheers,
Seb.
08-01-2023 09:33 AM
Ideas, given the limited information provided:
08-01-2023 03:38 AM
Hi there,
Is there a 1:1 mapping between users and devices, or can the users log into multiple devices? This would be a good usecase for User-ID (User-ID Overview (paloaltonetworks.com)) where you can define Security Policy based on user/ group.
Another alternative would be an 802.1x solution on the edge ports of your network allowing you to place certain devices/ users in a specific VLAN, which can then have a specific security policy applied to on the firewall.
Since you mention a DHCP based solution, then we can assume there must be a 1:1 mapping between the user and devices. The solution here is to logically divide a subnet. Say you have a DHCP scope for a /24 subnet, then carve out a /26 and use that for static reservations, eg:
192.168.1.0/24
Reserved: 192.168.1.0/26
DHCP scope allocation: 192.168.1.64-192.168.1.250
This will give you 62 useable host addresses, which you can use for static reservations once you have gathered all of the device MAC addresses. You can then create an address object for 192.168.1.0/26 and use it in whatever punitive policy you require.
cheers,
Seb.
08-01-2023 09:33 AM
Ideas, given the limited information provided:
08-01-2023 07:01 PM
Hello @AaronAxvig, thanks for the reply. How about the AD integration method and local user authentication (using Captive Portal). ?
08-02-2023 06:15 AM
Yeah that should work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
