For details on cookie usage on our site, read our Privacy Policy
Authenticating external users to firewall like Sonicwall?
- LIVEcommunity
- Discussions
- General Topics
- Re: Authenticating external users to firewall like Sonicwall?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-21-2013 06:56 PM
Hi all,
I am configuring a PA-500 for a POC exercise with a customer who is currently using a Sonicwall.
While there are obviously other/better ways to accomplish this and I realize how silly this is, given the limited scope I'm presently working in, I need to find a way to replicate a feature they presently "require".
In Sonicwall world, a user outside the corporate network can browse to the WAN IP of the firewall and log in with their credentials to become a "Trusted User" on the firewall. A firewall rule applying only to "Trusted Users" then allows them to RDP to a different IP in their /28 which gets NAT-ed through to a Remote Desktop server on the inside. Kind of a "Captive Portal in reverse", I guess.
Is there any way to replicate this functionality as closely as possible in PAN world??
Many thanks!
--jeff
- Labels:
-
Configuration
-
User-ID
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-22-2013 12:22 AM
Hello Jeff,
You can set up and customize a captive portal to direct user authentication by way of an authentication profile, an authentication sequence, or a client certificate profile. Captive portal can be used in conjunction with the User-ID Agent to extend user identification functions beyond the Active Directory domain. Users are directed to the portal and authenticated, thereby creating a user-to-IP address mapping.
Also If the user cannot be identified based on login information, an established session or client probe, the firewall can redirect any outbound HTTP requests and redirect the user to a web form. The web form can transparently authenticate the user through a NTLM challenge, which is automatically evaluated and answered by the web-browser or through an explicit login page.
Thanks
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-22-2013 12:22 AM
Hello Jeff,
You can set up and customize a captive portal to direct user authentication by way of an authentication profile, an authentication sequence, or a client certificate profile. Captive portal can be used in conjunction with the User-ID Agent to extend user identification functions beyond the Active Directory domain. Users are directed to the portal and authenticated, thereby creating a user-to-IP address mapping.
Also If the user cannot be identified based on login information, an established session or client probe, the firewall can redirect any outbound HTTP requests and redirect the user to a web form. The web form can transparently authenticate the user through a NTLM challenge, which is automatically evaluated and answered by the web-browser or through an explicit login page.
Thanks
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-22-2013 02:58 AM
If these users need connect from the outside/internet, enabling CP on WAN interface would be taxing for the firewall resources. Only alternative that I can think of is using Global Protect configured with External Gateway.
Users can connect to GP portal/gateway and authenticate using their AD/Radius/Kerberos/Local DB credentials and would be assigned an IP from the configured IP pool.
Security policies can be configured between the tunnel zone and Inside zone to access the RDP server.
Plus....GP (1Portal + 1Gateway ) does not need licenses starting OS_4.1.x
HTH..!
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-22-2013 05:01 AM
Typing wan ip to a browser.....
users are outside on the internet ? or inside just guest....solution will depend on their position...
Captive Portal looks like a suitable solution for that.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-23-2013 02:47 AM
Outside on the internet.
Thanks,
--jeff
- Adding an External Dynamic List Object and importing the Intermediate CA certificate from the external web server that the EDL is hosted on in Next-Generation Firewall Discussions
- v-wire security newbie in Next-Generation Firewall Discussions
- Cannot log into firewall if authentication profile specifies an AD group instead of AD username in General Topics
- How to prevent local overrides... in General Topics
- Looking to switch to PAN for NGFW, need insight into IPS, reporting and analytics, network visibility, etc in Next-Generation Firewall Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
