Palo Alto - Zero Trust in Practice

INTERSECT '23: Network Security Summit: Hands On Lab to get hands-on experience with Palo Alto’s Zero Trust for identity solution

Objectives

  • Activity 1: Explore Cloud Identity Engine (CIE) Directory Sync feature

  • Activity 2: Configure Palo Alto firewall to sync cloud directory information from CIE

  • Activity 3: Create a user-id based Security policy

  • Activity 4: Review CIE’s Cloud Authentication Service

  • Activity 5: Setup Palo Alto Firewall for Cloud Authentication Service

  • Activity 6: Create Authentication Policy rules and Test Authentication

  • Activity 7: Restrict user access via Security policy

  • Activity 8: Enable forward proxy Decryption

  • Activity 9: Add Threat Prevention, URL filtering and Wildfire

  • Activity 10: Learn about AIOps

Lab Topology Diagram

  • The dotted lines represent OOB (out of band) management traffic.

  • Windows and Linux client machines are configured to use VM series firewall (ETH1/2) as the default gateway. All outgoing traffic from these machines, except RDP and SSH, will flow through the VM-series firewall.

  • Windows and Linux client machines can only be managed via the windows jump server.

  • The Palo Alto Networks VM series firewall has a public IP address configured on its management interface. It can be accessed using its public IP address directly from your laptop's browser or Windows jump server.

  • VM-series firewall will connect to the Cloud Identity engine using the Internet via its Mgmt interface.

  • The Windows and Linux client can only reach the Internet using NAT policy pre-configured on the firewall using ethernet 1/1.

  • The Cloud Identity Engine instance is shared between all users of this lab, please do not make any changes to its configuration.

Jumpserver | Branch1 RDP | VM-series Firewall
VM-series Firewall
Cloud Identity Engine (CIE) Login
Okta Sign-In
Cloud Identity Engine (CIE)

Explore Cloud Identity Engine (CIE) Directory Sync feature

  • Learn about CIE Directory Sync feature

  • Get familiar with CIE user interface

  • Explore existing cloud directories that are integrated with CIE

Reviewing pre-configured Okta and Azure Directories.

Directories
Click on Users for Okta
Okta directory to see details of all user accounts learned from Okta directory
Click on Groups for SCIM
Groups
Group / employee
Attributes / Okta

Recap - This activity explored the Okta and Microsoft Azure AD directories in the Cloud Identity Engine (CIE) and how these directories are integrated with CIE along with the different user and group information that is accessible from CIE.

Configure Palo Alto firewall to sync cloud directory information from CIE

  • Associate Cloud Identity Engine with the Palo Alto VM series firewall

  • Enable User Identification capability on the Network Zones

Task 1 - Connect Cloud Identity Engine to the firewall

Navigate to Device -> User Identification -> Cloud Identity Engine -> Add

Select ZeroTrust - Cloud Identity Engine 4, for Domain select panw-zt.oktapreview.com
Map the directory attributes to Primary Username, Email and Alternate Usernames
Map Group attributes
Cloud Identity Engine

Task 2 - Enable user-identification on Network Zones

Enable User-identification in Trust Zone by navigating to Network -> Zones -> Trust

Check “Enable User Identification” and click OK
Commit the configuration on the firewall
Ensure the commit is successful before proceeding
Successful

Create a user-id based Security policy

  • Create a new security policy and utilize the user group learned from Okta directory via CIE

  • Verify that the user-id information with the correct username attribute is downloaded on the firewall

Task 1 - Create a new security policy

On the firewall, navigate to Policies -> Security -> Click Add to create a new policy rule

Create a security policy rule to allow all traffic from any source zone, source user-group panw-zt.oktapreview.com\zt-group to any destination

Input general information for the rule
Check Any for source zone and Add source user panw-zt.oktapreview.com\zt-group
Check Any for destination zone
In the Actions sections ensure that the Action is set to "Allow" and press OK to save the policy
Commit the configuration on the firewall

Task 2 - Verify the user and group information from CLI

From the Windows jump server, use Putty to open a new SSH connection to the firewall. Use the public IP address of the firewall to create an ssh session.

Verify that the Okta group panw-zt.oktapreview.com\zt-group is programmed on the firewall & display all the users that are of Okta group zt-group:

Verify all the users that Cloud Identity engine learned from Okta group zt-group are shown.

In the cloud identity Engine go to Directories -> Under Okta directory click group number to see Okta groups:

Click on the details button to see the group information including the members of the group and match it with the users learnt on the firewall:

Display the directory attributes that are used for primary username, email and Alt UserNames.

Recap - This activity demonstrated how to create a security policy that applies to user-group zt-group from the Okta Directory service to then confirm from the firewall's CLI that the firewall correctly pulled all the group and user information from Cloud Identity engine.

Review CIE’s Cloud Authentication Service

  • Learn about Cloud Identity Engine’s Cloud Authentication Service

  • Review the pre-configured Identity provider configuration in Cloud Identity engine

The Cloud Authentication Service uses a cloud-based service to provide user authentication using SAML 2.0-based Identity Providers (IdPs). When the user attempts to authenticate, the authentication request is redirected to the Cloud Authentication Service, which redirects the request to the IdP. After the IdP authenticates the user, the firewall maps the user and applies the security policy.

You can configure most SAML 2.0-based identity providers (IdPs) in the Cloud Identity Engine to authenticate your users. Currently the following IdPs are supported:

  • Azure AD

  • Okta

  • PingOne

  • PingFederate

  • Google

In CIE, click on Authentication Types and review the two pre-configured authentication types created for Okta and Azure AD

Demo: Adding Okta as an IDP in CIE

Configure Okta as an IdP in the Cloud Identity Engine

Authentication profile redirects users behind the firewall to the correct authentication type. On CIE, click on Authentication Profiles to see the two profiles created, one for each Authentication type. These Authentication profiles will be referenced from the firewall in the next section of the lab

Recap - This activity shows CIE’s Cloud Authentication Service feature. You saw a demo of how it is configured and reviewed the existing configuration.

Setup Palo Alto Firewall for Cloud Authentication Service

  • Create Authentication Profile to authenticate users against Okta IDP via Cloud Identity Engine

  • Configure Authentication Portal to use Authentication profile and redirect users for authentication

  • Create a new Authentication Enforcement Object and tie that with the Authentication profile

Task 1 - Create a new Authentication profile

Log-in to firewall and navigate to Device -> Authentication Profile and Click Add to create a new Authentication Profile.

Create an Authentication profile
Click Add under Allow list and select 'all'

Task 2 - Modify the Authentication Portal setting to use Authentication profile

Navigate to Device -> User Identification -> Authentication Portal settings and click on the gear icon ⚙ to modify the settings

Modify the following Authentication Portal settings:

  • Set the authentication profile to Okta-Authprofile that was created in Task 1.

  • Set the mode to redirect.

  • Set Redirect host ip as 10.101.0.100. This will ensure that the incoming requests on Eth1/2 (Trust Interface) will be redirected for Authentication based on the Authentication profile.

Task 3 - Create an Authentication Object

The Authentication Enforcement object uses the Authentication profile to redirect users to log-in using their authentication type. It ties Authentication policy to the Authentication profile.

Navigate to Objects -> Authentication and Click Add

Configure the Authentication Enforcement

Commit configuration changes on the firewall and wait for completion:

Recap -This activity demonstrated how to create the authentication profile, modified authentication portal settings and created an Authentication Enforcement object. This configuration is necessary for completing the cloud authentication service setup.

Create Authentication Policy rules and Test Authentication

  • Review URL Category object that is utilized in the authentication policy rule

  • Create authentication policy rule that allows users to bypass authentication when trying to reach the Identity Provider’s sign-in web applications

  • Create Authentication Policy rule to require users to authenticate before accessing web traffic

  • Test Authentication Policies from Windows client

  • Verify user-to-ip mapping on firewall using SSH

Task 1 - Review the URL Category object created to whitelist Microsoft and Okta SSO URLs

It is important to ensure that prior to valid authentication, the user is allowed to access Identity provider’s URLs that are necessary for authentication. If these URLs are blocked then the user will not be able to complete the sign-in process with the IDP and consequently won’t be able to access the network.

auth_whitelist is pre-configured and contains all the URLs necessary to complete authentication with Microsoft Azure AD and Okta. Review the URLs by navigating to Objects -> Custom Objects -> URL Category -> auth_whitelist. No configuration changes are required in this step.

Task 2 - Create Authentication Policy rule to bypass authentication for Identity provider’s authentication URLs

Navigate to Policies -> Authentication and Click Add

Configure a new Authentication Policy Rule
Select ‘Any’ for Source
Select ‘Any’ for Destination Zones
Add service-https under Service and 'auth_whitelist' under URL Category
Under Actions, set Authentication Enforcement to default-no-captive-portal and click OK to save the Policy rule

This policy rule will ensure that anytime a user attempts to go to any URLs defined in the auth_whitelist object, the user isn’t redirected.

Task 3 - Create authentication policy rule that enforces authentication for Web traffic and redirects user to the IDP for authentication via CIE

Click Add to create a new policy rule

Configure a new Authentication Policy Rule:

Select Any for Source and Destination Zones

Add service-https under Service/URL Category

Under Actions, set Authentication Enforcement to AuthObj that was create earlier to redirect users to Okta for authentication. Click OK to save the Policy rule.

Commit the configuration on the firewall

Task 4 - Test Authentication Policies from Windows client

RDP into the Branch1-Windows machine

From the Windows client, open up Google chrome in Incognito mode and navigate to www.yahoo.com. You should be redirected to the firewalls Eth1/2 interface (10.101.0.100)

Click Advanced and then Proceed to 10.101.0.100 (unsafe)

Log in to Okta and the user should be redirected to Yahoo’s website on successful authentication.

Task 5 - Review Authentication logs

Back on the firewall navigate to Monitor -> Log -> Authentication and take some time to review the logs and understand the sequence of events.

Notice the Authentication policy rule that's in effect and how it first redirects the user to Cloud Identity Engine which further redirects it to Okta for authentication. The firewall only has to interact with CIE for authentication.

Switch back your Cloud Identity Engine session and click on Log Viewer to see the detailed log for successful authentication attempt.

Task 6 - Verify user-to-ip mapping on firewall using SSH

SSH into the firewall on its public IP address from Windows Jump server or directly from your laptop.

Restrict user access via Security policy

Decryption

Add Threat Prevention, URL filtering and Wildfire

Learn About AIOps

Last updated

Was this helpful?