Symantec Privileged Access Management

​Could you give me some advices please.

My customer wants to manage an access to [Device3]. (an access flow is below)

　　[PAM] -> [Device1] -> [Device2] -> [Device3]

I think it is possible by making a Device Group include [Device1] and [Device2] .
 ※ The Socket Filter which has a Blacklist about [Device3] apply to the Device Group.
However it is hard to install SFA to [Device2] .([Device2]'s OS neither is UNIX nor WIndows.)

Is there another solution by using PAM? Should I suggest to control by Network?

Thank you in advance.

​If I understand right, you are looking for some logic on Device 2 that allows access to Device 3, but only if the connection to Device 2 came from Device 1, and that only if the connection to Device 1 came from PAM. I don't know why there would be a need for such a logic, but in general I don't see how this could be done w/o having a piece of software installed on Device 2 that could enforce such a policy. Since it is neither UNIX nor Windows, PAM wouldn't have such software. Also, the PAM SFA is meant to control sessions that are initiated from PAM. If the connection is from another device, it should not interfere with it.
Original Message:
Sent: 07-10-2019 11:33 PM
From: Fumiko Nishimura
Subject: Access control by PAM

​Could you give me some advices please.

My customer wants to manage an access to [Device3]. (an access flow is below)

　　[PAM] -> [Device1] -> [Device2] -> [Device3]

I think it is possible by making a Device Group include [Device1] and [Device2] .
 ※ The Socket Filter which has a Blacklist about [Device3] apply to the Device Group.
However it is hard to install SFA to [Device2] .([Device2]'s OS neither is UNIX nor WIndows.)

Is there another solution by using PAM? Should I suggest to control by Network?

Thank you in advance.

​Hello Ralf.

Thank you for your help.
I compleatly understood  and I agree with your opinion.
I will tell that to my customer.

Thanks and Best regards,

Fumiko Nishimura
Original Message:
Sent: 07-16-2019 10:20 AM
From: Ralf Prigl
Subject: Access control by PAM

​If I understand right, you are looking for some logic on Device 2 that allows access to Device 3, but only if the connection to Device 2 came from Device 1, and that only if the connection to Device 1 came from PAM. I don't know why there would be a need for such a logic, but in general I don't see how this could be done w/o having a piece of software installed on Device 2 that could enforce such a policy. Since it is neither UNIX nor Windows, PAM wouldn't have such software. Also, the PAM SFA is meant to control sessions that are initiated from PAM. If the connection is from another device, it should not interfere with it.
Original Message:
Sent: 07-10-2019 11:33 PM
From: Fumiko Nishimura
Subject: Access control by PAM

​Could you give me some advices please.

My customer wants to manage an access to [Device3]. (an access flow is below)

　　[PAM] -> [Device1] -> [Device2] -> [Device3]

I think it is possible by making a Device Group include [Device1] and [Device2] .
 ※ The Socket Filter which has a Blacklist about [Device3] apply to the Device Group.
However it is hard to install SFA to [Device2] .([Device2]'s OS neither is UNIX nor WIndows.)

Is there another solution by using PAM? Should I suggest to control by Network?

Thank you in advance.