This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About CHKlomp
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About CHKlomp
12-19-2022
21Posts
2Likes
2Solutions
Dec 19, 2022Last Visited
User
Activity
User
Profile
Latest posts by CHKlomp
| Subject | Views | Posted |
|---|---|---|
| 924 | 05-24-2022 12:59 PM | |
| 1086 | 05-19-2022 09:30 AM | |
| 1171 | 05-16-2022 03:07 PM | |
| 1225 | 05-16-2022 10:03 AM | |
| 2585 | 10-27-2021 10:51 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 10-20-2021 05:04 PM | |
| 1 Like | 01-11-2018 12:20 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes | |||
| 2 Likes | |||
| 1 Like | |||
| 4 Likes | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 10-03-2016 09:52 AM |
| Date Last Visited | 12-19-2022 05:36 PM |
| Posts | 21 |
| Total Likes Received | 2 |
05-24-2022
12:59 PM
@BPry , Thanks for your time. I'm thinking the best solution is to create a custom check for a registry key. We can have a custom registry key added for those devices that need access, while not being part of the domain. With regular key rotation, security should not be compromised in a significant matter.
... View more
05-19-2022
09:30 AM
@BPry , Yes, so if we want to use the name of the device, how would we go about validating it's membership of an AD group? Or how else would we use the device name for validation? Thank you for your time.
... View more
05-16-2022
03:07 PM
@BPryThanks for you response. However we're looking for a more dynamic solution, where we won't have to update the HIP-object every time we need to make an exception. Therefore we were looking at AD domain groups, where the customer can add computer names to this AD group, when access is needed for a non-domain system. This way they won't need to go through a formal change process, which takes a long time (relative to fixing a system's access).
... View more
05-16-2022
10:03 AM
We're planning to enable HIP checks; with on of the checks is domain membership. However there are cases where a computer will not yet have the domain setup. We're thinking of creating a device group in AD where those computers can be added. How do we allow access to systems that are part of that group? I was first thinking of a User-ID check, but this is for validating computer names and not user-id's membership in a group? I was also looking at a custom HIP check, but not sure how to pull that off? Thanks all for your time.
... View more
10-27-2021
10:51 AM
Thanks for your time Steve, This is a new connection. Network B already has a routing to a network A for another customer. Therefore we need to source NAT A to C, as C is new to B and therefore can be routed back over the VPN tunnel. However as network C does not really exists in the environment traffic originating from B to C is not flowing back to A as it goes into the untrust zone in stead of zone A. Though my source NAT rule was setup bi-directional, I had to setup a reverse destination NAT for traffic from B to C NATed to A, to get this all to work. It kind of defeats the purpose of making a rule bi-directional. Here is the traffic log before and after the destination NAT rule (B to A): Type Threat/Content Type Generate Time Source address Destination address NAT Source IP NAT Destination IP Rule Source Zone Destination Zone Inbound Interface TRAFFIC end 25-10-2021 12:13 B.122.99 C.77.24 B.122.99 A.10.24 VPN from 3rdParty vpn A tunnel.6 TRAFFIC drop 22-10-2021 15:30 B.122.99 C.77.144 VPN from 3rdParty Block vpn untrust tunnel.6 Security Rules Name Source Zone source Address Dest Zone Dest Address Action VPN from 3rdParty vpn B.122.96/28 zoneA A.10.0/24 C.77.0/24 Allow VPN from 3rdParty Block vpn B.122.96/28 any any Block NAT Rules Name Org.Source Zone OrgDest Zone Org.Source Address Org.Dest Address Org.Service Source Translation Dest Translation B to A vpn untrust B.122.96/28 C.77.0/24 any address A.10.0/24 A to B zoneA untrust vpn A.10.0/24 B.122.96/28 any static-ip C.77/24 bi-directional
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks