Friday, November 1, 2019

Palo Alto Networks Firewall User-Identification (User-ID) and Captive Portal

To add a Local User account, go to Device > Local User Database > Users > Add (at the bottom).

Type the user Name (John) > leave the default Mode: Password > type the Password > type again to Confirm Password > click OK.

I added another user Name: Sophia.



Configure an Authentication Profile under Device > Authentication Profile > Add.


Type a Name (LOCAL-AUTH-PROFILE-1) > leave the default Type: Local Database.


Leave the other settings in default.



Under Advanced tab > Allow List > select all > click OK.




Enable the Local User-ID on a Security Zone under Network > Zones > click inside.


Under User Identification ACL > tick Enable User Identification > click OK.



Since I have no Active Directory (AD) in my lab, I'll leverage the Captive Portal login for web access on the PAN Firewall. This is a common solution for wifi hotspot in a hotel or coffee shop.

To configure Captive Portal, go to Device > User Identification > Captive Portal Settings > click edit (gear icon).
 

Tick Enable Captive Portal > under Authentication Profile > select LOCAL-AUTH-PROFILE-1 created earlier > leave other settings in default > click OK.



Go to Objects > Authentication > tick default-web-form > Clone (at the bottom).


Leave the default Name selected > click OK.


Click default-web-form-1 to edit.


Type a Name (LOCAL-AUTH-WEB-FORM-1) > leave the default Authentication method: web-form.


Select Authentication Profile: LOCAL-AUTH-PROFILE-1 created earlier.


Optionally type a Message > click OK.



To enable the Captive Portal, go to Policies > Authentication > Add.


Under General tab > type a Name (WEB-AUTH-POLICY-1).


Under Source tab > Source Zone > Add > select inside.


Under Destination tab > Destination Zone > Add > select outside.


Under Service/URL Category tab > Service > Add > service-https. The service-http is already added by default.


Under Actions tab > select Authentication Enforcement: LOCAL-AUTH-WEB-FORM-1 created earlier > click OK.


Click Commit.


You'll need an SSL Decyrption policy to perform deep packet inspection for HTTPS traffic and enforce the User-ID with Captive Portal.

<SSL DECRYPTION BLOG LINK>

I tried to visit Facebook (HTTPS) and got a website security certificate error (PAN Firewall self-signed CA cert). Click Continue to this website (not recommended).


I got redirected to the PAN Firewall Captive Portal. I login using the configured local user account (John).



To monitor User-ID, go to Monitor > Logs > Traffic.

Notice the Source User column has the User-ID for john. You can apply a search filter by clicking the specific user > click green arrow icon.
 

Click the magnifying glass icon to get a Detailed Log View. Notice under Source > User > john.

You can now apply granular Security policy for a specific User-ID.


You can use the CLI command show user ip-user-mapping ip <ip/sm> for viewing User-to-IP mapping on the PAN Firewall. Here's a link for the User-ID cheat sheet commands.

I needed to clear the User-ID for John and login as Sophia via the Captive Portal.


I login as Sophia in the Captive Portal.


To monitor User-ID, go to Monitor > Logs > Traffic.

Notice the Source User column has now the User-ID for sophia.




No comments:

Post a Comment