This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global protect saml using custome port number

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect saml using custome port number

vasanth0611
L0 Member

‎02-07-2023 09:51 AM

 we have configure the global products saml  authentication with 443 in azure AD but we need to configure with the custom port number 1194 is it possible

5 people had this problem.
0 Likes Likes
12 REPLIES 12

n.major
L1 Bithead

‎02-20-2024 07:20 AM - edited ‎02-20-2024 07:25 AM

we encountered the same diffculty while trying to configure the GP port with a custom port number.

what do we need to configure under every section if we want to use a custom port like '10443'?

do i need to put ":10443" after the "test" and before the"/"?

and if so do i need to do that under every section?

naharm_0-1708442717468.png

 

 

0 Likes Likes

vasanth0611
L0 Member
In response to n.major

‎02-20-2024 09:00 AM

After authentication, packets from Azure's SAML requests are restricted to pass through Palo Alto firewalls only on port 443. If you require a custom port, you'll need to create two NAT policies: one for port 443 and another for the custom port.

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎02-20-2024 09:16 AM

Hi @n.major ,

 

The MS doc for GP/Azure is missing the port numbers.  The PANW doc includes the port numbers (scroll down in red).  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

 

The doc also answers your question.  Where do I put the port numbers and on which URLs?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

n.major
L1 Bithead
In response to vasanth0611

‎02-20-2024 09:22 AM

if i remember correctly i've configured it that way.
but as per what you say i dont need to change the SAML links on the palo alto firewall side, but i need to add a configuration of a

source NAT and Destination NAT?

 

0 Likes Likes

n.major
L1 Bithead
In response to TomYoung

‎02-20-2024 09:24 AM

thank you for your reply!

but in this link of KB that you sent me it is talked about as a 'regular' port and not a custom port.

i have managed to make it work as expected with port number 443 (with integration to SAML).

but when im changing it to a custom port on the GP-portal conf and on the azure side i get an error message.

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎02-20-2024 09:28 AM

Hi @n.major ,

 

That is what @vasanth0611 said.  I haven't looked into changing the port on the PANW side, but you can use NAT to do it.

 

Create an outbound destination NAT rule to change the port from 443 to 10443, and it should work.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

n.major
L1 Bithead
In response to TomYoung

‎02-20-2024 09:39 AM - edited ‎02-20-2024 09:42 AM

maybe i wasn't so clear.
when putting the url of the portal in the webbrowser i get the correct result and i am getting a redirect to the SAML.

on the SAML i get pass the credential part and get a 2FA which i approve.

than my screen is getting loaded, and i get an error message.

"AADSTS700016: Application with identifier 'https://test.com:443/SAML20/SP' was not found in the directory 'test.test'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant"

if you look carefully on the error you can see that it specify port number 443 and not 10443, so my feeling is that there is something wrong in the communication between the pafw and azure's SAML on the last handshake.

so the network side of the configuration seems to work fine. 

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎02-22-2024 06:37 AM

Hi @n.major ,

 

Thank you.  It may be best if we build a ladder diagram of the communication between the NGFW and Azure.

 

  1. NGFW initiates connection to Azure on tcp/1194.
    1. Put the port number in the SAML Server Profile after the domain name and before the 1st / for all 3 URLs (not tested)
    2. Or change the destination port with outbound NAT.
    3. Configure Azure to listen on that port.
    4. Azure replies in the same TCP session.
  2. Azure also authenticates to the public interface of the NGFW.
    1. GP listens on tcp/443.
    2. The ports in the URL I listed should be ":443" configured on the Azure side.

Hi @vasanth0611 , Did you get this working?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

n.major
L1 Bithead
In response to TomYoung

‎02-22-2024 10:58 AM

Get to correct flow is this:

The user makes an authentication request to the equipment.
The equipment bounces and redirects the user to saml.
The user goes through an authentication and identification procedure with the SAML and receives a Token after successful authentication and identification.
With the identification token, the user returns to the equipment.
The equipment verifies the token against the cloud and allows access.

 

so by this flow and the scenario I’m in, the failure happens when the FW verifies the token against the cloud.

0 Likes Likes

NachoR
L0 Member
In response to n.major

‎04-19-2024 03:42 AM

I have the same problem, i think that the fw does not know how to return the authentication request to the changed port and only uses 443

0 Likes Likes

n.major
L1 Bithead
In response to NachoR

‎04-21-2024 04:09 AM

i have not find any solution.
im doing it with the basic 443 port number when using SAML, so if you find a solution please @ me.

0 Likes Likes

y.Li251876
L0 Member
In response to vasanth0611

‎07-17-2024 02:41 AM

Hi Vasanth0611,

I recently encountered this problem, but I don't quite understand the two NAT strategies you mentioned. Could you please explain it in more detail?

0 Likes Likes
  • 2273 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks