Cloud NGFW is the industry’s only machine learning (ML)-powered NGFW delivered as a cloud-native service on Azure. With Cloud NGFW, you can run more apps securely at cloud speed and cloud-scale with an actual cloud-native experience. You get to experience the best of both worlds with natively integrated network security delivered as a service on Azure.
The user identity, as opposed to an IP address, is an integral component of an effective security infrastructure. Knowing who is using each of the applications on your network, and who may have transmitted a threat or is transferring files, can strengthen security policies and reduce incident response times. User-ID™, a standard feature on the Palo Alto Networks firewall, enables you to leverage user information stored in a wide range of repositories.
In this guide, we will discuss how to enable user-id on Cloud NGFW for Azure and use user-id in policy definition and traffic monitoring.
As per above test topology we have a Windows server with Active Directory configured. There are two Test Users added to the active directory. Within the user subnet there are two user machines(Testuser1 and Testuser2) that will be used to generate user traffic.
Cloud NGFW is integrated with Azure Virtual WAN.
Import the root certificate onto Panorama as shown below. This is the CA certificate that's available on Windows server acting as Active directory.
After importing the root certificate in the above step, now add a certificate profile using the certificate imported as shown below
Now add this certificate profile to User-ID connection security as shown below.
You need to click on the Gear icon to add a user-id Certificate Profile.
Login to Panorama and configure server monitor account as shown in below screenshot.
Go to DEVICE > User Identification > User Mapping and click on Gear icon to configure Server Monitor Account.
Over here you need to provide the user name and password details of the service account that you have created on Windows server as part of prerequisites.
Configure server monitoring by going to DEVICE > User Identification > User Mapping > Server Monitoring
Over here you need to specify the Type as Microsoft Active Directory, Transport Protocol as WinRM-HTTPS and the Network Address as your Windows server address where you have an active directory configured.
Commit and push the configuration
Now you can go ahead and enable User-ID on Cloud NGFW network interfaces.
Since cloud ngfw is a service and we don't have any control over network configuration on Cloud NGFW, you can override Private and Public zones as shown below and enable User-ID
To
Similarly override Public zone as well and enable User Identification.
In order to reach from Cloud NGFW to Active Directory we are now going to add a service route as shown below.
Go to Device > Setup > Services and click on “Service Route Configuration” to add route to LDAP server.
On clicking Service Route Configuration, you will be presented with the below mentioned screen where you need to select “Custom” and select LDAP service to add a route through Loopback.3 interface.
Cloud NGFW internally uses Loopback.3 as a source interface to talk to Active Directory.
Now add a service route based on Destination. Where the destination IP address Active Directory address.
Select the source interface as Loopback.3 interface
Commit and Push the configuration.
Configure LDAP server profile as shown below.
Go to DEVICE > Server Profiles > LDAP and click on Add to add LDAP server profile
You can start with providing Profile Name and add Server list where you will specify your active directory server IP address.
Now to fill in Server settings, you need to get Base DN and Bind DN from your active directory as shown below.
On your windows server, open ADSI edit app as shown below
You will be presented with below screen where you can select the username of the windows server to copy Bind DN details
Use the copied Bind DN and and Base DN as part of server settings as shown below. Key in the password of your windows server and click on OK to add LDAP server profile
In order to configure Group mapping you need to go to User Identification section as shown below and click on Add
Select the server profile created in above step to add Group mapping as shown below
Go to your Cloud NGFW device group as shown below. You will need to select the backend instances of cloud NGFW(it will be 3 or more) by enabling the checkbox against the name of the instances
Now enable “User ID Master Device” radio button and select one of the instance from the drop down to act as User ID master device
Commit and Push the configuration
As per Test topology we have Two users(Testuser1 and Testuser2). You will now be able to define security policies based on users.
Let's try to add a security policy to block Linkedin for Testuser2 and allow for other users. As shown below
Lets now login to Testuser1 and see if he is able to access LinkedIn and other websites
As you can see in the below screenshot, Testuser1 was able to access LinkedIn and other websites
Validate the same on the Panorama Monitoring page. You can see that the LinkedIn and twitter applications that were accessed by testuser1 was hitting AllowALL rule and allowed
As per Security policy defined, Testuser2 was blocked from accessing LinkedIn.
Let's now try login to Testuser2 machine and access the websites (LinkedIn and Twitter)
As you can see in the screenshot below, Testuser2 was not able to access Linkedin but was able to access twitter.
Lets see the reason for that on the Panorama monitoring page.
This confirms that Cloud NGFW for Azure was able to help with user based policy definition and monitoring.
