Authenticating GlobalProtect and Prisma Access remote access users against Office365 Azure AD

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

being able to authenticate your group overt act or prism access remote workers against office365 is very convenient as it provides seamless single sign-on experience to the user and of course it's great from a security point of view because you can use the integrated to effect our authentication that comes with office 365 so you don't have to pay extra for but of course in order to authenticate against office 365 you cannot use classical protocols like added up or radios instead you need sam'l luckily both Microsoft and Paulo the networks have made the integration very simple and in this video I will show you the configuration end to end with all the tips and tricks you need to know to make it work if this is your first time here I'm last one can see Gus we call ourself to Palo Alto Networks experts because the next generation follower is our passion it won't we do all day every day migrating firewalls providing managed services and most important implementing security best practices when I started to walk with this box in 2010 nearly anyone knew about Palo Alto Networks but as an engineer I felt that this solution will change the world of cyber security and yes today we know it did big time because it's one of the few security solutions that can truly secure your network however there's a caveat you need to set it up in the right way in order to be effective because while it's awesome it's not a magic box so over the years we became refreshing service partner for Palo Alto Networks as well as one of the few elite authorized training centers and was working in the field for so many years and being a trainer I would like to share my experience with you so over the next couple of weeks and months we release new videos and core concepts explaining the fundamental workings of the next generation firewall so follow us on LinkedIn YouTube or Twitter to stay up to date but now let's get started with the authentication of group of attacked and prism access remote users against Office 365 as you are ID so here in my lap I already have clover Tech configured all right so here we can see there is a portal and currently this portal just Allison decades against Active Directory by Ella right so now we'll do what we would like to do now is Becky changing this edible indication against sam'l authentication against is your ID right so and the first thing that we need to do is we need to set up as your ID right so what we do is we go to portal that is your comm you busy login you didn't do need a full kind of admin access to the majority portal okay then here you bet go on to the your ID is your active directory so and here now we want to go to enterprise applications and add a new enterprise application the the beauty here is that Palo Alto Networks already published predefined applications and what do these applications effectively do is are kind of let's say the gateway between office 365 is your ID and the follower ok so this is the page the element that makes it very simple for right you can see you can use them for admin UI in so that's basically in order to use you are your credentials to authenticate against the DEP you I of the firewall itself right aperture I guess that's the old captive portal and global protects the global tech this is what we want to use and we use this pose for let's say the global protect configuration on the fire as well as if you have prism access then the same would apply as well you want to use prism access ok and to this clue protect phone right so we click on this one we give it a name ok so we basically just call this I just call as my clover protect lab and we add this so and now the very first thing that we want to do is here under single sign-on we want to configure sam'l so we click on sam'l and there's really only just a couple of steps that we need to do right so here we go to kind of basic sam'l configuration and what we need to put in here are the identifiers now the identifiers what is this this is effectively your group of portal and gateway address did you use okay so the easiest thing is you just kind of take it simply take take this line kind of the sample paste it in here and then you just replace this with whatever the domain is for your portal okay so in my case the portal is actually HTTPS and then to treat at 0 to 120 so again in my case this is actually a kind of just an IP address right because it's in my lap of course in a normal production environment you would have your domains with something like X s thought my company don't come or whatever domain you have right and this kind of domain you need to put in here all right so again in my case what I do is I just gonna replace this with the IP address okay so that's busy to treat or 0.1 one 3.20 now here are two caveats this this pattern here that's kind of a sample and it's misleading in two ways number one it tells you here star dot okay so it kind of suggests that you can use wildcards unfortunately you cannot but you already does not support any wild cards this means that you have to basically here enter every single portal in gateway address that you have in your environment okay so second caveat is that behind here it is missing a colon for for tree all right if you do not have this you will get an error saying that there is kind of the identifier is not matching all right good so this we need to do here for for the identified as kind of also then reply URL which is more or less the same thing right also here what we actually do is I just copy this one put this in there all right I just copy here this kind of little string make it the same like this okay so and this is now the identify of my portal you can see very simple last one we need to enter is to sign on URL and this one by the way it's not so critical it's just used for testing right so if you put in something here that is wrong it doesn't really matter okay so whatever you put in here it's just usually the portal a drastically you see can only put in one where here you can put in multiple so in here you would usually put in just the portal address but again this is not really critical okay good right so now here we can kind of click Save and this will then save this configuration one word here now for prisoner access if you're using personal access of course you're having a lot of different kind of gateways alright so and for prism access if you're on panoramas what you want to do is you go to panoramas you go to your cloud services plug-in under starters and then network details mobile users here what you see is basically your portal address that's your portal address as well as all of the gateways now here again that's just a demo lab it only has two gateways in a production environment for prism access you can have those gateways alright all of your world work areas and the important thing here is you do need to put each one in of them into the the configuration there okay now of course copy pasting here this can be a little bit tiring alright so that kind of two ways how you can do this especially let's say from an updating point of view alright so you can of course just take this and manually put it in here you can see whenever you put in one there's kind of another one created alright um or what you can do as well is you can actually use this PowerShell script okay so what I did now is I just kind of copied the portal address and these two gateways right and what I would now have to do is just kind of do a search and replace in here for prism access I highly recommend you use this for the very simple reason that you probably quite often will update right where you set up a new location change location right I mean it's not something you do every day but from time to time you can do this and if you have a script like this which covers all of the the URLs then it this isn't only updated here paste it in and it's kind of done all right so um but again you can do it in both ways you can do it on the GUI or you can do it via this thing but what I do is I want to show this to you here okay so let me just paste this in here very quick Kyle actors and now just the last one like this okay so I now of course all of the kind of the remaining ones we just delete okay so now and pasting these in is pretty simple what is what is do is you just copy this from your editor and then you go back to is your ID and you log on here to the cloud shell the important thing is that when the loads cloud shell there are two different clouds there's bash in PowerShell just make sure you have PowerShell selected so if it tastes bash just change to PowerShell okay so then you just wait then authenticates directly with your user and then just paste in this little script of course validate that it doesn't show you any error so now you can see it kind of i had an error object ID didn't match right so what what did it do wrong okay in the script and that's important all right here you have your search string for your application okay so here you can see you are GP sam'l app what you need to do is you need to go into properties and whatever name you have chosen for your for your app this is actually what you need to put in here okay like this good so let me just done copy paste this one again and repeat okay and it's done okay very simple all right so now if we go back into here single sign-on and we actually see here the indentify are kind of still my Epirus but now when I click here I'll add it you can see it did update it right so you know it's just the GUI who needs a bit of time to kind of update the the settings all right and one word of precaution here now is that this script that can I would say is II D it's not an ad it's really a replace all right you can see in here all of the identifiers that the my appear s identify that I put him previously is actually was actually removed okay that's why if you want to use this PowerShell script or I have the script always ready and then always customize the script and just paste in the script if you're updating it right again when you have a kind of especially personal access where you have loads of gateways then this script is very handy good okay now in my case what I do is let me actually delete them out again and put my appeared RESP again so that it works for my scenario for my lab okay and let's save this good now from a configuration on as your ID we're actually already done all right this is it you can see this is really really simple right the only other thing that you need to consider right is actually here under users and groups that define who has actually access to the application if you have a kind of let's say the most basic office 365 subscription you have access to is your ID you can do all everything that I showed you right a limitation that you have is you cannot use groups so you have to add individual users here if you do have an additional licenses for is your ID ID then you can also add in here groups right so in my case I just have a test account so all I do is I'm just adding my user so this is I'm basically saying this user can use this app and effectively only this user can now authenticate against actually using this this application okay good now from a configuration point of view if we now log into our for all configure the disarmer account ok now let's have a quick look at this so when you click - here - device and then you have some identity provider why do better adding the server profile for sam'l all right and then here you can see that it's kind of attendee for order ID and it all looks a little bit complicated with loads of stuff what we might not sure what exactly to put in okay luckily we don't need all of this right the only thing what you need to do is you go back to your ID and then here you can see Federation meta.xml alright this is actually what you are going to download so that's an XML file which actually includes all of the configuration details alright so now I just go back right I say import I choose this file this XML file right and I kind of here put in a profile name so I just call this now you are ID okay so and for now what we need to do is also this over here validate identity provider certificate this is something that I will show you later on how are we gonna Riaan able this validation okay for now we're gonna disable it okay so and this now did two things first of all it created this profile put in all of the users that we need so that's cool alright and the second thing and here certificates it also imported this certificate okay so and that's beta configuration so now the only thing what we want to do is configure an authentication profile or actually in my case are gonna be lazy I'm just gonna use the existing authentication profile which is called as your ID and I can rename this into so this is what's called active directory I gonna rename this into your ID I changed type into sam'l and I choose now here my sam'l profile okay username we just put in user alright add kind of this username attribute what this refers to busy to username right so busy user authenticates this is user principal name so it's UPN so that's Betty deep effectively the email address that you use a hands on office 365 alright and this is them basically brought back to the firewall asked username right so that's basically the the field that we want to copy and put in here saying that should be the username okay good anything else we don't need to change right two-factor authentication and there's something you do not need here right if you want to do a factor authentication which is your ID you setup sonication on your ID okay so this is basically if you want to do is you salmon - a factor authentication with another sam'l provider right in case of it's your ID in office 365 you do not need this all right and here advanced you to see all users so that's fine okay good now there's also an occasion profile of course I kind of automatically applies to my portals and my gateways let's just kind of validate this why so if I go in here into authentication I can see this is now is your ID alright because it just renamed it this automatically populates everywhere and then we have it here on our authentication as well we bears here defines your ID alright again for the portal and the Gateway this is very simple right it's just the authentication method it doesn't really care what it is you just apply the authentication profile and this is then what the forward is using now if you use Prisma access it's pretty much the same thing the only big difference is that of course what you're gonna do is do exactly the same steps here in your in your mobile users template alright in your most mobile users template you go into summer you import this everything that I showed you the very much same you just do here in your mobile users template which will be then push this configuration out to all of the mobile users gateways of Prisma access ok good ok and you can see very simple right this is really it so what I do is now let me commit this configuration so there's no configure committed so now let's connect to our portal so I'm gonna connect portal to a tree at 0 to the woman 3.20 just of course be sure if you want to connect to the portal to the clubhead portal what you do need to make sure of is that here in your general settings you have portal login page set a factory default right and not disabled the best practice that we always recommend here is that you set this to disable that you guys you do not use this portal because you know the only function that it has is to distribute the the installer right and with this you exposing the web interface of the forward to the internet which is not really a good thing alright so again best practice is always disable this but for testing it's always a good thing to enable it right to bezzie check your your configuration before you then kind of check it with any of the of the clients ok so I have this enabled and I kind of log in here now and what you see is whoof it looked me straight in it didn't even ask me for username a password now why is this well of course here in my chrome I'm already logged in to as your ID this means chrome the browser already has an authentication token for as your ID all right so there you can see the power of this right so kind of from a user experience point of view it's very nice now still to show you this again let me actually do the same from a different browser okay so here in this in this case now I'm using Internet Explorer right I'm here in my lap with this as your account I'm not locked into my lab if you would have a user who has let's say Windows 10 and is authenticated with its Azure ID account against Windows 10 again he's seen as an on would kick in here as well and you know if there's a valid token then would login in right away in my case now because I'm not locked in on this Pete on on this machine or the lab machine it will actually ask me for a username password ok so and now see what happened I basically logged in to 2 or 3 is 0 1 3 20 and they actually redirected me chu is your ID right today actually to the login prompt of office 365 and this is really I think another very nice feature here that the authentication really happens against office 365 so and that's this is quite a quite powerful because now the user experience it's exactly the same like two users already used to with all of the other office 365 applications that he's using alright so here now I'm logging in was my username so in my case I do have to reflect on authentication actually setup big fingers one second okay so has to affect our authentication setup so now I getting a prompt on my phone to confirm this this was a push notification let's say yes and boom it locks me in ok so now here you can see I'm now again connected to my clover tech portal but now I'm off indicated against as your ID with this ok so you can see very self forward very powerful good now let's test this with our group of tech client so here now I'm a client already installed I logged in ok you can see it straight away see damn I'm internal I do ok so and now I'm actually getting the authentication prompt again alright so now here again in interesting things happened what we see is we can see now the window from global protect but what happens reading on the background is that it this is effectively a browser that goes back to to office 365 alright so why this is important we had cases for instance it's very old Windows 7 machines who had some old internet explorer on it right which didn't support TLS 1.1 or 1.2 and with this you know this window just eight white right because the browser and it's a factory global protect just pulling in Internet Explorer in the background to kind of show this page and then kind of it was not working right to be careful with very old machines right and that's why I always like to kind of test this with the portal and the browser to basically see that text she declined supports this okay good so again I'm authenticating here now again if this would now be Windows 10 then and I would have what I've had my opportunity five account already added to the operating system then the operating system would already have an authentication token and all of this would be seamless it wouldn't even ask me for for any authentication okay so now I'm all syndicated and now I'm getting an error message okay so there's something is important right I wanted to show you this on purpose what it says now here is and it's a very common issue that you might run into where it says that the application identifier does is not was not found okay so what what is this so that's the string let me just copy this right if we go back here into our sure ID can okay then we had here our identifiers all right and this is effectively that one right what the Bessie says is that all of the identifiers that you put in here it does actually not match against the identify that that we have okay so you can actually see you know it overrode again these these settings with these old ones all right so what I need to do now is obviously need to put this in here okay so you can actually see you know the script interfere again alright you probably not a good good idea to you know use the script or use the GUI right kind of publish it you should settle for one so in my case let me put this in again so now why did it show me this identify all right the reason is simple that I have an internal gateway alright and this is now actually my internal gateway right and I'm try to authenticate against my internal gateway and this is why it actually showed me now this message right let me actually show you so you can picture this so here on my firewall I have basically on the global detect an external internal gateway configured the client is currently inside of the network where we can see this based on the little house symbol alright always says to try to authenticate against this internal gateway and of course this one has a different domain right and again what you put in there in my case I put in the IP address be sure that you put in whatever you have configured as the DNS name in the certificate right so if you have here on our authentication as a profile apply it right you can see here I'm using GP internal gateway right what you have to put in is always the common name of this certificate in my case because it's a lab I'm just using and if IP addresses that's why my CN is the IP address in the normal production environment this would be a domain name why it's just be be aware of this okay good so again after is now put in okay I'm saving my configuration so and now we're going to try this thing again so you can see it connects right away without asking me for username impossible now if you want to validate this then you can also go here on the far wall into the system lock and by the way fork up for troubleshooting any problems group will protect the same four person access your system lock is really your best friend right so what we can see here is that I authenticated with the client I was redirected to office 365 I can embed got authenticated I can see now I kind of need that the user was successfully authenticated so all good perfect good now one last consideration that is really important if you go into the portal right usually what you would do is in your settings you would define selection criteria like for instance a group membership so very very busy saying you know this user is part of that group ok what you can actually see is that when you look into the traffic lock and you can see my IP address is actually now coming up with my my kind of email address okay and that's of course this is what I'm using as to authenticate and how does this call this really also do UPN use a principal name okay now usually when you're out syndicated against the far wall right then it usually shows kind of the Sam account name kind of the NetBIOS name from Active Directory so here one very important consideration that we all can also make sure that all of our good mapping works right group mapping for the matching include will protect portal and gateway settings as well as the group mapping in your security policies what you have to make sure that you've also configure group mapping properly all right usually you don't have to do any changes right because if you look into your group mapping settings wide then what you see is that here under user attributes it basically also does a lookup on the user principal name on the UPN and this kind of email address format that this was in user name there this is actually that's the UPN okay now in my lap case here my lap has an active directory but this active directory in the lab is of course not synchronized to my your ID all right that this is why group mapping in my case here in the lab actually does not work okay however if you have this probably configured like this then it will do the proper mapping back and also your group mapping will work one vote or precaution is that when you let's say add a new group mapping configuration it would also populate this based on the fact that you bet choosen that your Active Directory server profile is active directory all right if you have a very old mapping kind of an old air dump group mapping configuration then in here you might only see some account name simply because this mapping of user principal name email address and UPN and something that was only added in kind of recent releases right if you follow was a couple of years old you might have group mapping setting here that does not have this right then you can just put this in here right so the Sam account name for the primary username email for mail and user name number one for user principal name okay and then also your root mapping works now one last step that we need in our configuration is that we want to properly authenticate as your ID on the firewall right so previously here we had in our Sam you server your server profile we had this option here validate identity provider certificate okay this is something that is very important from a security point of view that we are doing this however if I just kind of click this say ok and commit my configuration then you can see we're getting an error as he saying that it was really valid the energy provider certificate is checked but no certificate profile is provided ok so what does this mean it means that here in our authentication profile right but we a pezzi say us your ID here we need to choose a certificate profile that authenticates this certificate what is the problem was this in an certificate profile we always need to define a CA certificate authority to validate certificate however if we look in to kanawa at this certificate that was automatically imported from your ID or I'd remember when we imported the XML it automatically imported the certificate this one it's not signed by ACA it's a self signed certificate okay so this while it is easy and simple it does create a problem from a security point of view right so now I want to show you how do you how to properly configure this so what you need to do is you need to import a proper certificate into your ID you have two ways how you can do this right one is that if you have an enterprise speaker infrastructure with a proper CA that's properly managed then just go to your CA admin and ask him basically to generate a web server certificate for the firewall right and you can use and also the input into your ID okay so that's one way of doing it and the other way is actually can also do this locally on the firewall okay so on the far were we again also would need CA and then out of this is CA generate a certificate I already have our CA here so I could use this Y it is kind of T's TCA that I have already used locally on the far wall to generate my certificates for the follower management internal gateway and the external portal for global attacked right however just so that it can we see this I will generate actually a dedicated CA just for for this purpose right just so you can see how this is done okay so iconic all this now my your ad sam'l CA okay the common name you can put in whatever you like okay so actually I just put in the same name okay so and very important you need to mark this as civil authority okay we still be basic created as certificate signing certificate okay now here one important thing you can see the expiration in days right per default it's just one year one year is probably a little bit short so you might want to increase this so something like three years okay so my guys that's gonna put in 1094 so that's kind of be three years okay certificates of course you can put in right but they are optional good now we're gonna generate to see a certificate kind you can see i generate the CA i have kind of this this is a CA it has the private key right and now I'm generating certificate that I want to use for my salmon authentication all right so I gonna call this now your ad Sam off okay and here I kind of put in a proper common name so local alright and now very important I'm signing the certificate with my the CA that I can just create it okay so here again expiration in days the same thing applies here again you want to put in you know two or three years at least so you don't have to do generate you regenerate this every year okay and very important as well and you have to import the certificate now into your ad so this means they only support RSA right and they're only supported digest up to sha-256 so do not increase this all right leaving leaving the default settings okay so stay with the default settings good so now I'm generating this okay so now I want to export it as well and important when you when you export a certificate you need to export it including the private key now the format is actually pkcs12 that's the format you want to choose you can have you put in a password okay so we export a certificate and when you export this as pkcs12 that automated exports books the public and the private key this is important we do need the private key on as your ID okay so we export this just saves it there alright so now we want to prepare is well an update our configuration on the firewall so first of all here on the salmon identity provider we want it changed certificate so what this was kind of the default one that was imported with the XML we're gonna change this to the one we just created so you ready salmon off some all certificate okay that's the first thing and the second is that we now want to and of course make sure I take this already previously but make sure here you know enable is where the validate identity provider certificate okay that's important so and our last thing on the firewall is that here not the authentication profile what I want to do is I go here and I busy now create a certificate profile so what does this do with the certificate profile I'm choosing the CA that validates the certificate so basically the certificate that has signed my all certificate this is what I need to choose here right so in my case videos your summer CA okay and this basic with this the for work and validate that yes this CA signed to certificate which validates the authentication okay so again so the profile I just call this again sure ad some CA so here you of course you want to kind of enable them all to be blocked right of course if you have a proper corporate CA what you would do is you would actually import the root CA from your corporate CA okay and then also configure a certificate profile where you Betty here reference your corporate PK infrastructure if the pocket PGI infrastructure has proper crl and OCSP setup and of course you can also enable CR ellen and OCSP good okay so well this is a good profile now here apply it right that's all what we need to do now on our file okay so I commit now my configuration so is committed so now basically my father firewall validates that 0id presents the certificate to us of course we haven't done anything unusual ready yet so now if we would try to reallocate so let me open up here and you private window you so then you better get the authentication failed message because authentication is actually not working okay good that's a good way actually validate that the change did was actually walking and properly kind of validating that of course this message is message from the far wall showing an authentication error okay good so now let's actually not import the certificate into your ID all right so what we want to do is down here on the salmon signing certificate we want to edit this configuration you can see this is actually the existing certificate that was provided automatically now here we want import our certificate that we created ourselves now you can see in here it says it wants kind of in pfx credentials and pfx format the format is correct that was exported right it's just the the ending it's not pfx it's kind of p12 so what you just do is you just choose all files right here we know we do see the certificate you put in the password and again you do not have to change the format of the certificate it's already in the correct format now we import it right so we can see we imported this one still inactive so now I want to activate this make it active so yes and it kind of the old one I just kind of delete and this is no safe okay so now let's check this again I'm gonna real CENTAC eight and we can see we're now locked in okay so this works if you want to validate this we can do this as well so we just go here into our system locks here we can actually also validated okay so what we see is so the client was kind of redirected to office 365 all right and then here this is the important thing right sam'l assertion signature is validated against IDP certificate right in this certificate that we now use as your ad salmon also that's the certificate that we explicitly created and this is it right you can see so the configuration is pretty simple right there are a couple of Cavett in there of course as usual right but it is pretty simple to to configure and again it's a very powerful way to to use your ID with your Grover protect or prism access

Info

Channel: Consigas - Palo Alto Networks Training Channel

Views: 8,012

Rating: undefined out of 5

Keywords: Palo Alto Networks, Training, Next-Generation FireWall

Id: uquhyOc6OZg

Channel Id: undefined

Length: 40min 7sec (2407 seconds)

Published: Sun Jun 28 2020