Integrating Palo Alto Networks Firewall
=======================================
This guide provides an overview of integration with Palo Alto firewall. It
includes the following information:
- `1. About This Guide`_
- `2. Deployment of Genian NAC using PAN Firewall`_
- `3. Configuring PAN Firewall for integration via XML API`_
- `4. Configuring PAN Firewall for Integration via SYSLOG`_
**1. About this Guide**
-----------------------
This guide describes how Genian NAC engineers and enterprise operators can send
information of user authentication to PAN firewall.
PAN Firewall generally requires that when a user changes a department or
location, the IP information changes and the assigned permissions are modified
accordingly. IP-based firewall policies do not know who is using an IP, but
they can work with Genian NAC to get user information about an IP.
Based on this information, even if the user's department or location is moved
and the IP information is changed, the user will be able to apply the authority
assigned to each user without modifying the rule in the firewall. This
efficiently improves administrator's internal infrastructure operation and
security.
For more info about PAN firewalls , see
https://docs.paloaltonetworks.com/pan-os
**2. Deployment of Genian NAC using PAN Firewall**
--------------------------------------------------
Genian NAC provides the integration of authentication. The PAN firewall refers
to the IP and user authentication information provided by Genian NAC, and
performs USER-ID mapping to enable access control by user role in the PAN
Firewall.
.. image:: /images/authentication-process.jpg
:width: 600px
The authentication process is described below:
#. User Authentication in Genian NAC
#. Genian NAC sends authentication user and IP information to PAN firewall
#. The PAN firewall compares the authentication user and IP information it
receives from Genian NAC with its own user ID table.
#. PAN confirms tag assigned to User-ID
#. Establish role-specific access control policy based on tag assigned to each
user
**3. Configuring PAN Firewall for integration via XML API**
-----------------------------------------------------------
3.1 Create an Admin role on the PAN firewall.
- Go to **Device** > **Admin Roles** > **Add**
- Create the role **Name** Genian_NAC_SSO, under the **XML API** tab
- Enable everything and validate it with **OK**
.. image:: /images/Genian_NAC_SSO.jpg
:width: 600px
3.2 Create an account for Genian NAC.
Assign the SSO role to the account.
- Enter a **Name**: Genian_NAC
- Select the **Administrator Type**: Role Based
- Select the **Profile**: Genian_NAC_SSO
.. image:: /images/Genian_administraitor.jpg
:width: 600px
3.3 Generate the XML Key.
Go on this URL: **https://[ IP of PAN firewall]/api/?type=keygen&user=[username]&password=[password]**
You can see the generated Key below:
.. code:: bash
**Script**
<response status = 'success'>
<result>
<key>LUFRPT1KbW80SU1hRXJuNk5XNHBudUhCNGMydE0rSUk9RFIzdEJ5RGcwWkRCVlhYMXl0Q1FPdz09
</key>
</result>
</response>
3.4 Configure the Genian NAC for sending SYSLOG.
Genian NAC uses filters in the audit log to integrate with XML.
- Go to **Log** in the top panel
- Go to **Log** > **Search** > **Advanced Search** > **Log ID** > **Check
Authentication** > Click **Search** button in the left **Log** panel
- You will see the Log of Authentication user and then you click the “**save
as**†button
Enter a **Name**: SSO_PaloAlto
Set the **Webhook URL:**
.. code:: bash
Call the PAN firewall XML
https://[IP of PAN firewall]/api/?type=user-id&action=set&key=LUFRPT1KbW80SU1hRXJuNk5XNHBudUhCNGMydE0rSUk9RFIzdEJ5RGcwWkRCVlhYMXl0Q1FPdz09
Select a **character Set**: EUC-KR
Select a **Method**: POST
Enter the **POST Data**:
.. code:: bash
Script
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<login>
<entry name="{ID}" ip="{_IP}" timeout="20" />
</login>
</payload>
</uid-message>
Select a **Content-Type**: multipart/form-data
.. image:: /images/SSO_PaloAlto.JPG
:width: 600px
3.5 Configuring User Identification on Security Zones.
PAN firewall policy rules use security zones to identify the Data traffic which
flows freely within the zone, not flowing freely between the different zones
until you define the allowed security policy rules. To enable enforcement of
user identity, you must enable user identification in both the inbound and
outbound zones that are passed by end-user traffic.
To enable User Identification
- Go to **Network** > **Zone**
- Select **Enable User Identification** and click **OK**
3.6 Verify that the firewall is successfully receiving login events from SSH
and Web Console.
.. code:: bash
CLI Command
admin@PA-VM> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- --------- -------------- -------------
172.29.101.1 vsys1 XMLAPI genian 1111 1111
Total: 1 users
**WebConsole**
- Go to **Monitor**
- Go to **Logs** > **User-ID** in the left Monitor panel
- You will see the list of authentication via Genian NAC
.. image:: /images/Mapping-UI.JPG
:width: 600px
**4. Configuring PAN Firewall for Integration via SYSLOG**
----------------------------------------------------------
4.1 Create a filter.
The Palo Alto Firewall creates a log filter to distinguish
authentication-related messages when receiving Syslog messages from Genian NAC.
- Go to **Device** on the top panel
- Go to User **Identification** > **User Mapping** > Click the Button look like
**Gear** on PAN firewall **User-ID Agent Setup** Tab
- Go to Syslog **Filters** > **Add**
.. code:: bash
Enter values
Enter a Syslog Parse Profile: Genian_NAC
Enter a Event String: AUTHUSER
Enter a Username Prefix: ID=
Enter a Username Delimiter: ,
Enter a Address Prefix: IP=
Enter a Address Delimiter: ,
.. image:: /images/Genian_syslog-parse-profile.jpg
:width: 400px
4.2 Specify the SYSLOG sender that the PAN firewall monitor.
- Go to **Device** > **User Identification** > **User Mapping** and **ADD** an
entry to the Server Monitoring list
.. code:: bash
Enter values
Enter a Name to identify the sender
Make sure the sender Profile is Enabled (default is enabled)
Set the Type to Syslog Sender.
Enter the Network Address of the Genian NAC IP address
Select SSL(default) or UDP as the Connection Type
.. note:: The UDP protocol is unencrypted data. It is recommended to use of the SSL protocol.
The listening ports(514 for UDP and 6514 for SSL)
.. image:: /images/Genian_syslog_sender.jpg
:width: 400px
4.3 Enable SYSLOG listener services.
It is able to listen to the SYSLOG from Genian NAC.
- Go to **Network** > **Network Profiles** > **Interface Mgmt** > **ADD** a new
profile
.. code:: bash
Enter values
Enter a Name to identify the Network Profile: Allow Genian NAC
Check the User-ID SYSLOG Listener-SSL or User-ID SYSLOG Listener-UDP
Click OK to save the interface management profile
4.4 Assign the interface Management profile to the interface.
- Go to **Network** > **Interfaces** and edit the interface
- Go to **Advanced** > **other info** > select the **Interface Management
Profile** > select the **Allow Genian NAC** > Click **Ok**
- **Commit**
4.5 Configure the Genian NAC for sending SYSLOG.
Genian NAC uses filters in the audit log to integrate with SYSLOG.
- Go to **Log** in the top panel
- Go to **Log** > **Search** > **Advanced Search** > **Log ID** > Check
Authentication > Click **Search** button in the left Log panel
- You will see the Log of Authentication user and then you click the “**save
as**†button
.. code:: bash
Enter values
Enter a Name
Enter a Server IP address[ Palo Alto IP]
Select the Protocol either UDP or TCP(TLS)
Set a Server port(UDP for 514, TCP(TLS) for 6514)
Enter the SYSLOG Message: USERAUTH, ID={ID}, IP={_IP}
Click the Save
.. image:: /images/Genian_NAC_syslog.JPG
:width: 600px
4.5 Verify that the user mappings when users log in and out.
.. code:: bash
CLI command
admin@PA-VM> show user ip-user-mapping all type SYSLOG
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ----- ------- -------------------- -------------- -------------
172.29.101.1 vsys1 SYSLOGI genian 2220 2220
Total: 1 users