https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41704#M30682 <HTML><HEAD></HEAD><BODY><P>Typing wan ip to a browser.....</P><P>users are outside on the internet ? or inside just guest....solution will depend on their position...</P><P>Captive Portal looks like a suitable solution for that.</P></BODY></HTML> Sun, 22 Sep 2013 12:01:33 GMT Retired Member 2013-09-22T12:01:33Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41701#M30679 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>I am configuring a PA-500 for a POC exercise with a customer who is currently using a Sonicwall.</P><P></P><P>While there are obviously other/better ways to accomplish this and I realize how silly this is, given the limited scope I'm presently working in, I need to find a way to replicate a feature they presently "require".</P><P></P><P>In Sonicwall world, a user outside the corporate network can browse to the WAN IP of the firewall and log in with their credentials to become a "Trusted User" on the firewall.&nbsp; A firewall rule applying only to "Trusted Users" then allows them to RDP to a different IP in their /28 which gets NAT-ed through to a Remote Desktop server on the inside.&nbsp; Kind of a "Captive Portal in reverse", I guess.</P><P></P><P>Is there any way to replicate this functionality as closely as possible in PAN world??</P><P></P><P>Many thanks!</P><P>--jeff</P></BODY></HTML> Sun, 22 Sep 2013 01:56:04 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41701#M30679 SmartEdgeJC 2013-09-22T01:56:04Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41702#M30680 <HTML><HEAD></HEAD><BODY><P>Hello Jeff,</P><P>You can set up and customize a captive portal to direct user authentication by way of an authentication <SPAN style="font-size: 10pt;">profile</SPAN><SPAN style="font-size: 10pt;">, an authentication sequence, or a client certificate profile. Captive portal can be used in conjunction </SPAN><SPAN style="font-size: 10pt;">with</SPAN><SPAN style="font-size: 10pt;"> the User-ID Agent to extend user identification functions beyond the Active Directory domain. </SPAN><SPAN style="font-size: 10pt;">Users are directed to the portal and authenticated, thereby creating a user-to-IP address mapping.</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">Also&nbsp; </SPAN><SPAN style="font-size: 10pt;">If the user cannot be identified based on login information, an established session or client probe, </SPAN><SPAN style="font-size: 10pt;">the</SPAN><SPAN style="font-size: 10pt;"> firewall can redirect any outbound HTTP requests and redirect the user to a web form. The web </SPAN><SPAN style="font-size: 10pt;">form</SPAN><SPAN style="font-size: 10pt;"> can transparently authenticate the user through </SPAN><SPAN style="font-size: 10pt;"><SPAN class="GINGER_SOFATWARE_correct">a</SPAN></SPAN><SPAN style="font-size: 10pt;"> NTLM challenge, which is </SPAN><SPAN style="font-size: 10pt;">automatically </SPAN><SPAN style="font-size: 10pt;">evaluated</SPAN><SPAN style="font-size: 10pt;"> and answered by the web-browser or through an explicit login page.</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">Thanks<BR /></SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P></BODY></HTML> Sun, 22 Sep 2013 07:22:35 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41702#M30680 HULK 2013-09-22T07:22:35Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41703#M30681 <HTML><HEAD></HEAD><BODY><P>If these users need connect from the outside/internet, enabling CP on WAN interface would be taxing for the firewall resources. <SPAN style="font-size: 10pt; line-height: 1.5em;">Only alternative that I can think of is using Global Protect configured with External Gateway.</SPAN></P><P>Users can connect to GP portal/gateway and authenticate using their AD/Radius/Kerberos/Local DB&nbsp; credentials and would be assigned an IP from the configured IP pool.</P><P>Security policies can be configured between the tunnel zone and Inside zone to access the RDP server.</P><P>Plus....GP (1Portal + 1Gateway ) does not need licenses starting OS_4.1.x</P><P></P><P>HTH..!</P></BODY></HTML> Sun, 22 Sep 2013 09:58:20 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41703#M30681 UhMayYeah 2013-09-22T09:58:20Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41704#M30682 <HTML><HEAD></HEAD><BODY><P>Typing wan ip to a browser.....</P><P>users are outside on the internet ? or inside just guest....solution will depend on their position...</P><P>Captive Portal looks like a suitable solution for that.</P></BODY></HTML> Sun, 22 Sep 2013 12:01:33 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41704#M30682 Retired Member 2013-09-22T12:01:33Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41705#M30683 <HTML><HEAD></HEAD><BODY><P>Outside on the internet.</P><P></P><P>Thanks,</P><P>--jeff</P></BODY></HTML> Mon, 23 Sep 2013 09:47:00 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41705#M30683 SmartEdgeJC 2013-09-23T09:47:00Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41706#M30684 <HTML><HEAD></HEAD><BODY><P>I imagine that if they buy this thing after the POC that they'll be deploying GP, but sadly for now I have to figure out how to do this without otherwise it isn't going to fly......................</P></BODY></HTML> Mon, 23 Sep 2013 09:48:37 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41706#M30684 SmartEdgeJC 2013-09-23T09:48:37Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41707#M30685 <HTML><HEAD></HEAD><BODY><P>The use case here is for some employees with Macs to be able to log into the terminal server from home.&nbsp; I'm told that connecting a Mac to a Sonicwall can be a pain in the backside.&nbsp; Obviously GP works on OS X, and I bet the built in VPN client would work fine as well... but the preference at this point is to rock the boat as little as possible to get the blue device in the door.</P><P></P><P>I considered throwing it in in vwire mode but one of their pain points is how pokey the Sonicwall is with all the security features turned on.</P></BODY></HTML> Mon, 23 Sep 2013 10:01:23 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41707#M30685 SmartEdgeJC 2013-09-23T10:01:23Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41708#M30686 <HTML><HEAD></HEAD><BODY><P>VWIRE mode with following settings should be a good way to start.</P><P></P><P>1&gt; All the tags allowed 0-4094</P><P>2&gt;Non-Syn-tcp-reject&nbsp; turned off</P><P>3&gt;assymetric bypass tuned on</P><P></P><P>These settings would ensure that PA&nbsp; functions as a transparent device, staying inline.</P><P>Security features can be selectively turned on an ad hoc basis.</P><P></P><P>-HTH...!</P></BODY></HTML> Mon, 23 Sep 2013 10:27:40 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-external-users-to-firewall-like-sonicwall/m-p/41708#M30686 UhMayYeah 2013-09-23T10:27:40Z