Global protect saml using custome port number

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global protect saml using custome port number

L0 Member

 we have configure the global products saml  authentication with 443 in azure AD but we need to configure with the custom port number 1194 is it possible

12 REPLIES 12

L1 Bithead

we encountered the same diffculty while trying to configure the GP port with a custom port number.

what do we need to configure under every section if we want to use a custom port like '10443'?

do i need to put ":10443" after the "test" and before the"/"?

and if so do i need to do that under every section?

naharm_0-1708442717468.png

 

 

After authentication, packets from Azure's SAML requests are restricted to pass through Palo Alto firewalls only on port 443. If you require a custom port, you'll need to create two NAT policies: one for port 443 and another for the custom port.

Cyber Elite
Cyber Elite

Hi @n.major ,

 

The MS doc for GP/Azure is missing the port numbers.  The PANW doc includes the port numbers (scroll down in red).  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

 

The doc also answers your question.  Where do I put the port numbers and on which URLs?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

if i remember correctly i've configured it that way.
but as per what you say i dont need to change the SAML links on the palo alto firewall side, but i need to add a configuration of a

source NAT and Destination NAT?

 

thank you for your reply!

but in this link of KB that you sent me it is talked about as a 'regular' port and not a custom port.

i have managed to make it work as expected with port number 443 (with integration to SAML).

but when im changing it to a custom port on the GP-portal conf and on the azure side i get an error message.

Cyber Elite
Cyber Elite

Hi @n.major ,

 

That is what @vasanth0611 said.  I haven't looked into changing the port on the PANW side, but you can use NAT to do it.

 

Create an outbound destination NAT rule to change the port from 443 to 10443, and it should work.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

maybe i wasn't so clear.
when putting the url of the portal in the webbrowser i get the correct result and i am getting a redirect to the SAML.

on the SAML i get pass the credential part and get a 2FA which i approve.

than my screen is getting loaded, and i get an error message.

"AADSTS700016: Application with identifier 'https://test.com:443/SAML20/SP' was not found in the directory 'test.test'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant"

if you look carefully on the error you can see that it specify port number 443 and not 10443, so my feeling is that there is something wrong in the communication between the pafw and azure's SAML on the last handshake.

so the network side of the configuration seems to work fine. 

Cyber Elite
Cyber Elite

Hi @n.major ,

 

Thank you.  It may be best if we build a ladder diagram of the communication between the NGFW and Azure.

 

  1. NGFW initiates connection to Azure on tcp/1194.
    1. Put the port number in the SAML Server Profile after the domain name and before the 1st / for all 3 URLs (not tested)
    2. Or change the destination port with outbound NAT.
    3. Configure Azure to listen on that port.
    4. Azure replies in the same TCP session.
  2. Azure also authenticates to the public interface of the NGFW.
    1. GP listens on tcp/443.
    2. The ports in the URL I listed should be ":443" configured on the Azure side.

Hi @vasanth0611 , Did you get this working?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Get to correct flow is this:

The user makes an authentication request to the equipment.
The equipment bounces and redirects the user to saml.
The user goes through an authentication and identification procedure with the SAML and receives a Token after successful authentication and identification.
With the identification token, the user returns to the equipment.
The equipment verifies the token against the cloud and allows access.

 

so by this flow and the scenario I’m in, the failure happens when the FW verifies the token against the cloud.

I have the same problem, i think that the fw does not know how to return the authentication request to the changed port and only uses 443

i have not find any solution.
im doing it with the basic 443 port number when using SAML, so if you find a solution please @ me.

Hi Vasanth0611,

I recently encountered this problem, but I don't quite understand the two NAT strategies you mentioned. Could you please explain it in more detail?

  • 3506 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!