In a DHCP environment, how can we grant certain users internet access via the Paloalto firewall?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

In a DHCP environment, how can we grant certain users internet access via the Paloalto firewall?

L1 Bithead

We have over 200 users on a network, and IP addresses are assigned using DHCP. However, we have a customer request to allow internet access on ports 80 and 443 for specific individuals(may be 50 or more) via the Paloalto firewall. Please review and confirm the various configuration options.

2 accepted solutions

Accepted Solutions

L4 Transporter

Hi there,

Is there a 1:1 mapping between users and devices, or can the users log into multiple devices? This would be a good usecase for User-ID (User-ID Overview (paloaltonetworks.com)) where you can define Security Policy based on user/ group.

 

Another alternative would be an 802.1x solution on the edge ports of your network allowing you to place certain devices/ users in a specific VLAN, which can then have a specific security policy applied to on the firewall.

 

Since you mention a DHCP based solution, then we can assume there must be a 1:1 mapping between the user and devices. The solution here is to logically divide a subnet. Say you have a DHCP scope for a /24 subnet, then carve out a /26 and use that for static reservations, eg: 

192.168.1.0/24

Reserved: 192.168.1.0/26

DHCP scope allocation: 192.168.1.64-192.168.1.250

 

This will give you 62 useable host addresses, which you can use for static reservations once you have gathered all of the device MAC addresses. You can then create an address object for 192.168.1.0/26 and use it in whatever punitive policy you require.

 

cheers,

Seb.

View solution in original post

L3 Networker

Ideas, given the limited information provided:

  1. If each of the 50 individuals has dedicated PCs, use DHCP reservations to give them certain IPs and then allow that IP range Internet access.
  2. Break it up into two networks.  This would be via SSID, or 802.1x auth, or many other options.
  3. Use Active Directory groups and User-ID, with different security rules depending on AD group membership.

View solution in original post

5 REPLIES 5

L4 Transporter

Hi there,

Is there a 1:1 mapping between users and devices, or can the users log into multiple devices? This would be a good usecase for User-ID (User-ID Overview (paloaltonetworks.com)) where you can define Security Policy based on user/ group.

 

Another alternative would be an 802.1x solution on the edge ports of your network allowing you to place certain devices/ users in a specific VLAN, which can then have a specific security policy applied to on the firewall.

 

Since you mention a DHCP based solution, then we can assume there must be a 1:1 mapping between the user and devices. The solution here is to logically divide a subnet. Say you have a DHCP scope for a /24 subnet, then carve out a /26 and use that for static reservations, eg: 

192.168.1.0/24

Reserved: 192.168.1.0/26

DHCP scope allocation: 192.168.1.64-192.168.1.250

 

This will give you 62 useable host addresses, which you can use for static reservations once you have gathered all of the device MAC addresses. You can then create an address object for 192.168.1.0/26 and use it in whatever punitive policy you require.

 

cheers,

Seb.

L3 Networker

Ideas, given the limited information provided:

  1. If each of the 50 individuals has dedicated PCs, use DHCP reservations to give them certain IPs and then allow that IP range Internet access.
  2. Break it up into two networks.  This would be via SSID, or 802.1x auth, or many other options.
  3. Use Active Directory groups and User-ID, with different security rules depending on AD group membership.

Hello @AaronAxvig, thanks for the reply. How about the AD integration method and local user authentication (using Captive Portal). ?

L3 Networker

Yeah that should work.

Thank you so much.

  • 2 accepted solutions
  • 1277 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!