Guide and Video Demo: User-ID on Cloud NGFW for Azure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L2 Linker
No ratings

 

Title_User-ID-CNGFW-Azure_palo-alto-networks.jpg

About This Guide

 

Cloud NGFW is the industry’s only machine learning (ML)-powered NGFW delivered as a cloud-native service on Azure. With Cloud NGFW, you can run more apps securely at cloud speed and cloud-scale with an actual cloud-native experience. You get to experience the best of both worlds with natively integrated network security delivered as a service on Azure.

 

The user identity, as opposed to an IP address, is an integral component of an effective security infrastructure. Knowing who is using each of the applications on your network, and who may have transmitted a threat or is transferring files, can strengthen security policies and reduce incident response times. User-ID™, a standard feature on the Palo Alto Networks firewall, enables you to leverage user information stored in a wide range of repositories. 

 

In this guide, we will discuss how to enable user-id on Cloud NGFW for Azure and use user-id in policy definition and traffic monitoring.

 

Sample Topology

 

Fig 1_User-ID-CNGFW-Azure_palo-alto-networks.png

 

As per above test topology we have a Windows server with Active Directory configured. There are two Test Users added to the active directory. Within the user subnet there are two user machines(Testuser1 and Testuser2) that will be used to generate user traffic.

Cloud NGFW is integrated with Azure Virtual WAN.

 

User-ID with PanOS Integrated Agent

 

Prerequisite

  • Configure the service account with Remote Management User and CIMV2 privileges for the server you want to monitor
  • Configure server monitoring using WinRM over HTTPS with Basic Authentication
  • Create Test users and Groups on Windows server
  • Security Policy on Cloud NGFW to allow communication with LDAP/Windows server with Active directory

 

Import Root Certificate (from Windows Server) on to Panorama

Import the root certificate onto Panorama as shown below. This is the CA certificate that's available on Windows server acting as Active directory.

 

Fig 2_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Add Certificate Profile

After importing the root certificate in the above step, now add a certificate profile using the certificate imported as shown below

 

Fig 3_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Add Certificate Profile to User-ID Connection Security

Now add this certificate profile to User-ID connection security as shown below.

You need to click on the Gear icon to add a user-id Certificate Profile.

 

Fig 4_User-ID-CNGFW-Azure_palo-alto-networks.png

Configure Server Monitor account

Login to Panorama and configure server monitor account as shown in below screenshot.

Go to DEVICE > User Identification > User Mapping and click on Gear icon to configure Server Monitor Account.

 

Over here you need to provide the user name and password details of the service account that you have created on Windows server as part of prerequisites.

 

Fig 5_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Configure Server Monitoring with WinRM-HTTPS Transport Protocol

Configure server monitoring by going to DEVICE > User Identification > User Mapping > Server Monitoring 

Over here you need to specify the Type as Microsoft Active Directory, Transport Protocol as WinRM-HTTPS and the Network Address as your Windows server address where you have an active directory configured.

Commit and push the configuration

 

Fig 6_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Enable User-ID on Cloud NGFW

Now you can go ahead and enable User-ID on Cloud NGFW network interfaces. 

Since cloud ngfw is a service and we don't have any control over network configuration on Cloud NGFW, you can override Private and Public zones as shown below and enable User-ID

 

Fig 7_User-ID-CNGFW-Azure_palo-alto-networks.png

 

 To

 

Fig 8_User-ID-CNGFW-Azure_palo-alto-networks.png

Similarly override Public zone as well and enable User Identification.

 

Configure Service Route to Active Directory LDAP Server

In order to reach from Cloud NGFW to Active Directory we are now going to add a service route as shown below.

Go to Device > Setup > Services and click on “Service Route Configuration” to add route to LDAP server.

 

Fig 9_User-ID-CNGFW-Azure_palo-alto-networks.png

 

On clicking Service Route Configuration, you will be presented with the below mentioned screen where you need to select “Custom” and select LDAP service to add a route through Loopback.3 interface.

Cloud NGFW internally uses Loopback.3 as a source interface to talk to Active Directory.

 

Fig 10_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Now add a service route based on Destination. Where the destination IP address Active Directory address.

Select the source interface as Loopback.3 interface

 

Commit and Push the configuration.

 

Fig 11_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Fig 12_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Configure LDAP Server Profile

Configure LDAP server profile as shown below.

Go to DEVICE > Server Profiles > LDAP and click on Add to add LDAP server profile 

 

Fig 13_User-ID-CNGFW-Azure_palo-alto-networks.png

 

You can start with providing Profile Name and add Server list where you will specify your active directory server IP address.

Now to fill in Server settings, you need to get Base DN and Bind DN from your active directory as shown below.

 

On your windows server, open ADSI edit app as shown below

 

Fig 14_User-ID-CNGFW-Azure_palo-alto-networks.png

 

You will be presented with below screen where you can select the username of the windows server to copy Bind DN details

 

Fig 15_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Use the copied Bind DN and and Base DN as part of server settings as shown below. Key in the password of your windows server and click on OK to add LDAP server profile

 

Fig 16_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Configure Group Mapping Settings

In order to configure Group mapping you need to go to User Identification section as shown below and click on Add

 

Fig 17_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Select the server profile created in above step to add Group mapping as shown below

 

Fig 18_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Configure User-ID Master Device with Cloud NGFW Device Group

Go to your Cloud NGFW device group as shown below. You will need to select the backend instances of cloud NGFW(it will be 3 or more) by enabling the checkbox against the name of the instances

Now enable “User ID Master Device” radio button and select one of the instance from the drop down to act as User ID master device

 

Fig 19_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Commit and Push the configuration

 

User Traffic Test Through Cloud NGFW

 

Validate Testuser1 Traffic

As per Test topology we have Two users(Testuser1 and Testuser2). You will now be able to define security policies based on users.

Let's try to add a security policy to block Linkedin for Testuser2 and allow for other users. As shown below

 

Fig 20_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Lets now login to Testuser1 and see if he is able to access LinkedIn and other websites

As you can see in the below screenshot, Testuser1 was able to access LinkedIn and other websites

 

Fig 21_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Validate the same on the Panorama Monitoring page. You can see that the LinkedIn and twitter applications that were accessed by testuser1 was hitting AllowALL rule and allowed

 

Fig 22_User-ID-CNGFW-Azure_palo-alto-networks.png

 

Validate Testuser2 Traffic

As per Security policy defined, Testuser2 was blocked from accessing LinkedIn.

Let's now try login to Testuser2 machine and access the websites (LinkedIn and Twitter)

As you can see in the screenshot below, Testuser2 was not able to access Linkedin but was able to access twitter.

 

Lets see the reason for that on the Panorama monitoring page.

 

Fig 23_User-ID-CNGFW-Azure_palo-alto-networks.png

This confirms that Cloud NGFW for Azure was able to help with user based policy definition and monitoring.

 

VIDEO DEMO

 

Rate this article:
  • 397 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎06-07-2024 10:59 AM
Updated by: