topic Re: Password protected internal site in General Topics

Password protected internal site

Rievax — Fri, 25 Sep 2020 16:58:53 GMT

Hi everyone,

I'm trying to migrate a rule of an ancient firewall (Microsoft ISA server) that was "publishing" an internal resource using regular HTTP - just a web page - but protected by an RSA SecurID login page. The ISA / RSA implementation was just enforcing a login page before showing up the published Web site:

External User (Internet) ---> ISA Server with RSA SecureID auth ---> HTTP/80 web site (LAN)

On my PA, I have no specific license for GP so I cannot use the GP clientless functionality.

Creating an enabling User-ID / Captive Portal / legacy RSA SecureID for the Internet Zone is a no no...

Are there anything I could do on the PA side to enforce authentication for Internet users?

Thanks!

Re: Password protected internal site

BPry — Sat, 26 Sep 2020 05:02:48 GMT

@Rievax,

So you've thrown out authentication policies which would generally be the solution for something like this, which really leaves you with licensing GP so you can do a clientless setup to service this resource or having them actually use GlobalProtect to form a VPN connection. You don't really have another option here from the firewall itself.

Re: Password protected internal site

aleksandar.astardzhiev — Sun, 27 Sep 2020 07:49:47 GMT

@Rievax ,

Well the captive portal will "enforce authentication for internet users" as per your requirements. Why is this not option for you?

Re: Password protected internal site

Rievax — Mon, 28 Sep 2020 11:49:19 GMT

@BPry , @aleksandar.astardzhiev

Dear all. Thanks for your answers!

To be honest, I was reading the Best Practices article for securing User-ID and in many other places in PA doc, they warn not to enable User-ID in Internet / Untrusted zones. Having a closer look, the possible issue seems to be related more in regards to WMI probing (which is not enabled in my case)... Brute force attack should not be a problem since this is an OTP SecurID access that I would use in my Authentication Policy rule (BTY, I tested in from a DMZ zone, and I know that works fine).

Still, by reading your answers, this does not seems to be a problem to your eyes enabling User-ID in the Internet / Untrusted zone. Or I am mistaken, and there is another way to have an attached Authentication Policy Rule without enabling User-ID for the Zone?

My second issue is regarding the Captive Portal Redirect Host and SSL Service Profile... I originally built it for "Internal" use, and because there's only one Captive Portal setup I will have to re-create a proper Redirect Host / SSL Service Profile / Split DNS setup to have it accessible internally and externally.

Thanks again for your suggestions.

Regards.

Re: Password protected internal site

OtakarKlier — Wed, 30 Sep 2020 21:59:45 GMT

Hello,

Using User-ID wont work, the reason is if the firewall knows the user-ip already, it will not bring up the authentication page. So I agree with BPry and you have to license GP is you want to use the PAN or find another solution.

Regards,