To
add a Local User account, go to Device > Local User Database > Users >
Add (at the bottom).
Type the user Name (John) > leave the default Mode: Password > type the Password > type again to Confirm Password > click OK.
I added another user Name: Sophia.
Configure an Authentication Profile under Device > Authentication Profile > Add.
Type a Name (LOCAL-AUTH-PROFILE-1) > leave the default Type: Local Database.
Leave the other settings in default.
Under Advanced tab > Allow List > select all > click OK.
Enable the Local User-ID on a Security Zone under Network > Zones > click inside.
Under User Identification ACL > tick Enable User Identification > click OK.
Tick Enable Captive Portal > under Authentication Profile > select LOCAL-AUTH-PROFILE-1 created earlier > leave other settings in default > click OK.
Go
to Objects > Authentication > tick default-web-form > Clone (at the
bottom).
Leave the default Name selected > click OK.
Click default-web-form-1 to edit.
Type a Name (LOCAL-AUTH-WEB-FORM-1) > leave the default Authentication method: web-form.
Select Authentication Profile: LOCAL-AUTH-PROFILE-1 created earlier.
Optionally type a Message > click OK.
To enable the Captive Portal, go to Policies > Authentication > Add.
Under General tab > type a Name (WEB-AUTH-POLICY-1).
Under Source tab > Source Zone > Add > select inside.
Under Destination tab > Destination Zone > Add > select outside.
Under Service/URL Category tab > Service > Add > service-https. The service-http is already added by default.
Under Actions tab > select Authentication Enforcement: LOCAL-AUTH-WEB-FORM-1 created earlier > click OK.
Click
Commit.
I got redirected to the PAN Firewall Captive Portal. I login using the configured local user account (John).
Click the magnifying glass icon to get a Detailed Log View. Notice under Source > User > john.
You can now apply granular Security policy for a specific User-ID.
You can use the CLI command show user ip-user-mapping ip <ip/sm> for viewing User-to-IP mapping on the PAN Firewall. Here's a link for the User-ID cheat sheet commands.
I needed to clear the User-ID for John and login as Sophia via the Captive Portal.
I login as Sophia in the Captive Portal.
Notice
the Source User column has now the User-ID for sophia.
Type the user Name (John) > leave the default Mode: Password > type the Password > type again to Confirm Password > click OK.
I added another user Name: Sophia.
Configure an Authentication Profile under Device > Authentication Profile > Add.
Type a Name (LOCAL-AUTH-PROFILE-1) > leave the default Type: Local Database.
Leave the other settings in default.
Under Advanced tab > Allow List > select all > click OK.
Enable the Local User-ID on a Security Zone under Network > Zones > click inside.
Under User Identification ACL > tick Enable User Identification > click OK.
Since I have no Active Directory (AD) in my lab, I'll leverage the Captive Portal
login for web access on the PAN Firewall. This is a common solution for wifi
hotspot in a hotel or coffee shop.
To
configure Captive Portal, go to Device > User Identification > Captive
Portal Settings > click edit (gear icon).
Tick Enable Captive Portal > under Authentication Profile > select LOCAL-AUTH-PROFILE-1 created earlier > leave other settings in default > click OK.
Leave the default Name selected > click OK.
Click default-web-form-1 to edit.
Type a Name (LOCAL-AUTH-WEB-FORM-1) > leave the default Authentication method: web-form.
Select Authentication Profile: LOCAL-AUTH-PROFILE-1 created earlier.
Optionally type a Message > click OK.
To enable the Captive Portal, go to Policies > Authentication > Add.
Under General tab > type a Name (WEB-AUTH-POLICY-1).
Under Source tab > Source Zone > Add > select inside.
Under Destination tab > Destination Zone > Add > select outside.
Under Service/URL Category tab > Service > Add > service-https. The service-http is already added by default.
Under Actions tab > select Authentication Enforcement: LOCAL-AUTH-WEB-FORM-1 created earlier > click OK.
You'll
need an SSL Decyrption policy to perform deep packet inspection for HTTPS
traffic and enforce the User-ID with Captive Portal.
<SSL
DECRYPTION BLOG LINK>
I tried
to visit Facebook (HTTPS) and got a website security certificate error (PAN
Firewall self-signed CA cert). Click Continue to this website (not
recommended).
I got redirected to the PAN Firewall Captive Portal. I login using the configured local user account (John).
To
monitor User-ID, go to Monitor > Logs > Traffic.
Notice
the Source User column has the User-ID for john. You can apply a search filter by clicking the specific user > click green arrow icon.
Click the magnifying glass icon to get a Detailed Log View. Notice under Source > User > john.
You can now apply granular Security policy for a specific User-ID.
You can use the CLI command show user ip-user-mapping ip <ip/sm> for viewing User-to-IP mapping on the PAN Firewall. Here's a link for the User-ID cheat sheet commands.
I needed to clear the User-ID for John and login as Sophia via the Captive Portal.
I login as Sophia in the Captive Portal.
To
monitor User-ID, go to Monitor > Logs > Traffic.
No comments:
Post a Comment