This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User-ID using internal global protect and Azure Active Directory

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-ID using internal global protect and Azure Active Directory

TomDow
L0 Member

‎02-02-2019 11:37 AM

Hi all,

 

I've setup SAML SSO based authentication to global protect with Azure Active Directory. I'm wondering if i can take this a step further by using internal global protect gateways and using global protect for USER-ID? 

 

If i did this, how would i go about setting up user based policies on the palo? effectively allowing me to allow/deny traffic based off Azure Active directory user or group?

 

Apologies if i've missed something obvous within the documentation. 

 

cheers

 

Tom

5 people had this problem.
0 Likes Likes
3 REPLIES 3

Medisked
L0 Member

‎03-28-2019 03:52 AM - edited ‎03-28-2019 04:17 AM

My environment is already on Azure-AD and I have no on prem AD.  There is no intent to add on premise devices if it can be avoided.
 I too was wondering if I set up the SAML connection and the Palo Alto application in O365 for firewall auth and global protect VPNs if it also encapsulated User-ID if we use global protect agents internally.

 

 

0 Likes Likes

TomDow
L0 Member
In response to Medisked

‎03-28-2019 09:52 AM

Hi Medisked,

 

I ended up raising this as a Palo Alto support ticket. 

 

However i think your question is slightly different to mine. When you setup a global protect agent- this agent does send USER-ID information to the firewall. You can see this by simply looking at the Monitor tab and you'll see the username against the traffic that user has created. 

 

However what Palo Alto have confirmed is that the Group mapping settings can only be LDAP. Therefore if you have no DCs at all and your directory service is only Azure AD- there is no way to set policies within the firewall to say "user X can only go to resource Y". 

0 Likes Likes

Marcaria-Infrastructure
L0 Member

‎11-21-2019 03:34 AM

We noticed that the authentication profile can also get a value for the user group. But reading the documentation, we found that PaloAlto only uses this to match authenticating users against Allow List entries and not for policies or reports.

 

The only thing missing is that PaloAlto allow the use of the user group that can be pass by AzureAD on Policies.

 

0 Likes Likes
  • 5686 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks