I've setup SAML SSO based authentication to global protect with Azure Active Directory. I'm wondering if i can take this a step further by using internal global protect gateways and using global protect for USER-ID?
If i did this, how would i go about setting up user based policies on the palo? effectively allowing me to allow/deny traffic based off Azure Active directory user or group?
Apologies if i've missed something obvous within the documentation.
My environment is already on Azure-AD and I have no on prem AD. There is no intent to add on premise devices if it can be avoided.
I too was wondering if I set up the SAML connection and the Palo Alto application in O365 for firewall auth and global protect VPNs if it also encapsulated User-ID if we use global protect agents internally.
I ended up raising this as a Palo Alto support ticket.
However i think your question is slightly different to mine. When you setup a global protect agent- this agent does send USER-ID information to the firewall. You can see this by simply looking at the Monitor tab and you'll see the username against the traffic that user has created.
However what Palo Alto have confirmed is that the Group mapping settings can only be LDAP. Therefore if you have no DCs at all and your directory service is only Azure AD- there is no way to set policies within the firewall to say "user X can only go to resource Y".
We noticed that the authentication profile can also get a value for the user group. But reading the documentation, we found that PaloAlto only uses this to match authenticating users against Allow List entries and not for policies or reports.
The only thing missing is that PaloAlto allow the use of the user group that can be pass by AzureAD on Policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!