Integrating Palo Alto Networks Firewall

This guide provides an overview of integration with Palo Alto firewall. It includes the following information:

1. About this Guide

This guide describes how Genian ZTNA engineers and enterprise operators can send information of user authentication to PAN firewall.

PAN Firewall generally requires that when a user changes a department or location, the IP information changes and the assigned permissions are modified accordingly. IP-based firewall policies do not know who is using an IP, but they can work with Genian ZTNA to get user information about an IP.

Based on this information, even if the user's department or location is moved and the IP information is changed, the user will be able to apply the authority assigned to each user without modifying the rule in the firewall. This efficiently improves administrator's internal infrastructure operation and security.

For more info about PAN firewalls , see https://docs.paloaltonetworks.com/pan-os

2. Deployment of Genian ZTNA using PAN Firewall

Genian ZTNA provides the integration of authentication. The PAN firewall refers to the IP and user authentication information provided by Genian ZTNA, and performs USER-ID mapping to enable access control by user role in the PAN Firewall.

../_images/authentication-process.jpg

The authentication process is described below:

  1. User Authentication in Genian ZTNA
  2. Genian ZTNA sends authentication user and IP information to PAN firewall
  3. The PAN firewall compares the authentication user and IP information it receives from Genian ZTNA with its own user ID table.
  4. PAN confirms tag assigned to User-ID
  5. Establish role-specific access control policy based on tag assigned to each user

3. Configuring PAN Firewall for integration via XML API

3.1 Create an Admin role on the PAN firewall. - Go to Device > Admin Roles > Add - Create the role Name Genian_ZTNA_SSO, under the XML API tab - Enable everything and validate it with OK

../_images/Genian_NAC_SSO.jpg

3.2 Create an account for Genian ZTNA. Assign the SSO role to the account. - Enter a Name: Genian_ZTNA - Select the Administrator Type: Role Based - Select the Profile: Genian_ZTNA_SSO

../_images/Genian_administraitor.jpg

3.3 Generate the XML Key. Go on this URL: https://[ IP of PAN firewall]/api/?type=keygen&user=[username]&password=[password] You can see the generated Key below:

**Script**
<response status = 'success'>
 <result>
     <key>LUFRPT1KbW80SU1hRXJuNk5XNHBudUhCNGMydE0rSUk9RFIzdEJ5RGcwWkRCVlhYMXl0Q1FPdz09
     </key>
 </result>
</response>

3.4 Configure the Genian ZTNA for sending SYSLOG. Genian ZTNA uses filters in the audit log to integrate with XML.

  • Go to Log in the top panel
  • Go to Log > Search > Advanced Search > Log ID > Check Authentication > Click Search button in the left Log panel
  • You will see the Log of Authentication user and then you click the “save as” button

Enter a Name: SSO_PaloAlto Set the Webhook URL:

Call the PAN firewall XML
https://[IP of PAN firewall]/api/?type=user-id&action=set&key=LUFRPT1KbW80SU1hRXJuNk5XNHBudUhCNGMydE0rSUk9RFIzdEJ5RGcwWkRCVlhYMXl0Q1FPdz09

Select a character Set: EUC-KR Select a Method: POST Enter the POST Data:

Script
<uid-message>
 <version>1.0</version>
 <type>update</type>
 <payload>
     <login>
         <entry name="{ID}" ip="{_IP}" timeout="20" />
     </login>
 </payload>
</uid-message>

Select a Content-Type: multipart/form-data

../_images/SSO_PaloAlto.JPG

3.5 Configuring User Identification on Security Zones. PAN firewall policy rules use security zones to identify the Data traffic which flows freely within the zone, not flowing freely between the different zones until you define the allowed security policy rules. To enable enforcement of user identity, you must enable user identification in both the inbound and outbound zones that are passed by end-user traffic.

To enable User Identification - Go to Network > Zone - Select Enable User Identification and click OK

3.6 Verify that the firewall is successfully receiving login events from SSH and Web Console.

CLI Command
admin@PA-VM> show user ip-user-mapping all
IP                Vsys      From       User       IdleTimeout(s)   MaxTimeout(s)
--------------- ------       -------   ---------  --------------   -------------
172.29.101.1      vsys1     XMLAPI    genian           1111              1111
Total: 1 users

WebConsole - Go to Monitor - Go to Logs > User-ID in the left Monitor panel - You will see the list of authentication via Genian ZTNA

../_images/Mapping-UI.JPG

4. Configuring PAN Firewall for Integration via SYSLOG

4.1 Create a filter. The Palo Alto Firewall creates a log filter to distinguish authentication-related messages when receiving Syslog messages from Genian ZTNA.

  • Go to Device on the top panel
  • Go to User Identification > User Mapping > Click the Button look like Gear on PAN firewall User-ID Agent Setup Tab
  • Go to Syslog Filters > Add
Enter values
Enter a Syslog Parse Profile: Genian_ZTNA
Enter a Event String: AUTHUSER
Enter a Username Prefix: ID=
Enter a Username Delimiter: ,
Enter a Address Prefix: IP=
Enter a Address Delimiter: ,
../_images/Genian_syslog-parse-profile.jpg

4.2 Specify the SYSLOG sender that the PAN firewall monitor.

  • Go to Device > User Identification > User Mapping and ADD an entry to the Server Monitoring list
Enter values
Enter a Name to identify the sender
Make sure the sender Profile is Enabled (default is enabled)
Set the Type to Syslog Sender.
Enter the Network Address of the Genian ZTNA IP address
Select SSL(default) or UDP as the Connection Type

Note

The UDP protocol is unencrypted data. It is recommended to use of the SSL protocol.

The listening ports(514 for UDP and 6514 for SSL)

../_images/Genian_syslog_sender.jpg

4.3 Enable SYSLOG listener services. It is able to listen to the SYSLOG from Genian ZTNA.

  • Go to Network > Network Profiles > Interface Mgmt > ADD a new profile
Enter values
Enter a Name to identify the Network Profile: Allow Genian ZTNA
Check the User-ID SYSLOG Listener-SSL or User-ID SYSLOG Listener-UDP
Click OK to save the interface management profile

4.4 Assign the interface Management profile to the interface.

  • Go to Network > Interfaces and edit the interface
  • Go to Advanced > other info > select the Interface Management Profile > select the Allow Genian ZTNA > Click Ok
  • Commit

4.5 Configure the Genian ZTNA for sending SYSLOG. Genian ZTNA uses filters in the audit log to integrate with SYSLOG.

  • Go to Log in the top panel
  • Go to Log > Search > Advanced Search > Log ID > Check Authentication > Click Search button in the left Log panel
  • You will see the Log of Authentication user and then you click the “save as” button
Enter values
Enter a Name
Enter a Server IP address[ Palo Alto IP]
Select the Protocol either UDP or TCP(TLS)
Set a Server port(UDP for 514, TCP(TLS) for 6514)
Enter the SYSLOG Message: USERAUTH, ID={ID}, IP={_IP}
Click the Save
../_images/Genian_NAC_syslog.JPG

4.5 Verify that the user mappings when users log in and out.

CLI command
admin@PA-VM> show user ip-user-mapping all type SYSLOG
IP                Vsys       From      User         IdleTimeout(s)   MaxTimeout(s)
---------------  -----      -------   --------------------     --------------            -------------
172.29.101.1      vsys1     SYSLOGI    genian          2220                2220
Total: 1 users