Hello, i have a combined network in my organization with a MX84 as firewall.
The problem is when i try to apply a group policy to a client and i enter to network.wide menu, client tab and i select my client. When i go i dont see the policy section to apply the group policy or block the client.
Can you provide a screenshot?
Hi @Japimil,
Can you see the policy section on the client page if you select 'only security appliance clients' in the following drop-down?
Yes i can see it, but cant see all my clients.
I need apply to a client that is behind a MS225 switch, wich have the layer 3 interface for the network
Ah!
So the issue is going to be that combine networks track clients by MAC address and your L3 switch is creating a L3 boundary between the client and the MX.
THIS KB has more info as to why the problem is occurring as well as instructions on how to fix it. To summarize, having a L3 switch between your clients and MX means that all traffic sent through that L3 switch will show with the switch's MAC address as the source (Normal L3 boundary behavior) on the MX's side. Since the network is tracking clients based on their MAC address, this means that the MX thinks all traffic coming through the switch belongs to the switch and not individual clients.
To fix this issue, all that needs to happen is the following:
1 ) Split the MX into its own network [Relevant KB] (Switch, APs, etc. can remain combined)
2) Set MX's network to track by IP [Relevant KB]
3 ) MX should now be able to identify clients based on their unique IPs rather than MAC address and you should be able to assign per client policy
NOTE: For this to be effective, you will want clients to keep their IP addresses. Static IPs or fixed DHCP IP assignments are definitely recommended
Hope this helps! 😃
I have that configuration at first but we are trying to config AD integration for group policy assignment at MX84 and not working.
I open a case with support and tell me to combine the network because if you do a mac tracking you get the name of PC.
Principal problem is that firewall must be the perimeter firewall of my organization and all branch office go to internet behind this firewall (branch are connected by MPLS network) so make all computer static ip (we have lots of employee with mobility) is not a valid option this time sorry.
¿Is some roadmap for this?
With no policy
Same corporative network with policy: