Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-25-2020 09:58 AM
Hi everyone,
I'm trying to migrate a rule of an ancient firewall (Microsoft ISA server) that was "publishing" an internal resource using regular HTTP - just a web page - but protected by an RSA SecurID login page. The ISA / RSA implementation was just enforcing a login page before showing up the published Web site:
External User (Internet) ---> ISA Server with RSA SecureID auth ---> HTTP/80 web site (LAN)
On my PA, I have no specific license for GP so I cannot use the GP clientless functionality.
Creating an enabling User-ID / Captive Portal / legacy RSA SecureID for the Internet Zone is a no no...
Are there anything I could do on the PA side to enforce authentication for Internet users?
Thanks!
R.
09-25-2020 10:02 PM
So you've thrown out authentication policies which would generally be the solution for something like this, which really leaves you with licensing GP so you can do a clientless setup to service this resource or having them actually use GlobalProtect to form a VPN connection. You don't really have another option here from the firewall itself.
09-27-2020 12:49 AM
@Rievax ,
Well the captive portal will "enforce authentication for internet users" as per your requirements. Why is this not option for you?
09-28-2020 04:49 AM
@BPry , @aleksandar.astardzhiev
Dear all. Thanks for your answers!
To be honest, I was reading the Best Practices article for securing User-ID and in many other places in PA doc, they warn not to enable User-ID in Internet / Untrusted zones. Having a closer look, the possible issue seems to be related more in regards to WMI probing (which is not enabled in my case)... Brute force attack should not be a problem since this is an OTP SecurID access that I would use in my Authentication Policy rule (BTY, I tested in from a DMZ zone, and I know that works fine).
Still, by reading your answers, this does not seems to be a problem to your eyes enabling User-ID in the Internet / Untrusted zone. Or I am mistaken, and there is another way to have an attached Authentication Policy Rule without enabling User-ID for the Zone?
My second issue is regarding the Captive Portal Redirect Host and SSL Service Profile... I originally built it for "Internal" use, and because there's only one Captive Portal setup I will have to re-create a proper Redirect Host / SSL Service Profile / Split DNS setup to have it accessible internally and externally.
Thanks again for your suggestions.
Regards.
R.
09-30-2020 02:59 PM
Hello,
Using User-ID wont work, the reason is if the firewall knows the user-ip already, it will not bring up the authentication page. So I agree with BPry and you have to license GP is you want to use the PAN or find another solution.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
