I'm in proccess of migration from TMG to Palo Alto. One of the rules on TMG whic is used to publish web site to the Internet have AD autehntication enabled. Because I can't change anything on web server and I have to enable some kind of authentication when users are connecting to this site, I was thinking to use PAN Authentication policy for this.
I'm worried because for that I have to enable User Identification on Untrust interface. What are security concerns if I enable User-ID on untrust interface? Is there any other way to force authentication on PAN FW when users from outside network access web server on inside interface?
There really shouldn't be anything special you need to do to actually allow this to the best of my knowledge. This is really more of an ISS thing than on your firewall. Maybe I'm missing exactly what you are talking about?
Maybe I wasn't clear enough about my problem...
Right now TMG works as reverse proxy and besides publishing site on the Internet (NAT), provides for authentication of user before they can access the web site.
So, when users enter URL of that site in their browser first thing that appears is TMG web form where users have to enter their username and password, and then only if they are successfuly authenticated they are passed through to web site itself.
There is no authentication built in on site itself. And also we are using XAMPP as web server, not IIS, but this is irrelevant
I have to somehow copy this functionality of authenticating users before they can access the web site on our internal network. For this I was planing of using Authentication policy on PAN FW.
For "known-user" atribution and enforcing in policy you've got a lot of options.
Domain Controller querrying for authenticated users. This can be done on your firewall...(But has limitations and impacts) You can use UIAs (User Identifcation Agents) which are installed on PCs or member servers that querry the DCs.
Or through a "Captive Portal" process which is also performed via the firewall. With NTLM enabled the FW or your UIAs will querry a clients browser for creds via NTLM and bump that against AD. If that doesn't work the user will get a browser pop-up or even potentially get a splash-page asking for creds
OR you can also us the Global Protect client merely for user atribution (nothing to do with VPN)
In my enviornment we do UIAs, with CP/NTLM.
There's a high likelihood that capturing user creds with Palo will be more seamless to your users than before.
Using DC querying the Palo firewall will already know about your users. Essentially at the same time the users authenticate to the domain. Therefore in most cases they'll never have to put credentials into a webpage.
With UIA DCs are queried on a configurable basis, but the default is 2 or 3 seconds.
Via CLI you can see how many users the firewall knows about and via what process (SSO=NTLM because of a PAN-OS code upgrade):
me@firewall(active)> show user ip-user-mapping all option count type UIA
Total: 12380 users
me@firewall(active)> show user ip-user-mapping all option count type SSO
Total: 16 users
me@firewall(active)> show user ip-user-mapping all option count type CP
Total: 8 users
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!