Configure Active Directory authentication (User-ID) in the Palo Alto

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to talk about how to configure Active Directory authentication or user ID on the Palo Alto firewall this can be used for a lot of situations for instance when you see event logs in on the Palo Alto by having user ID enabled you're able to track what you user access to certain websites or applications as opposed to just simply an IP address now there's a lot of steps that are necessary here for this to work properly the first step that I'm going to do is configure what's called the service route service route is there in order to allow us to specify which interface of the Palo Alto we want it to use to be able to perform the Active Directory authentication on by default it will try to use the management interface but this is not always the best option the next item that we're going to do is we're going to configure the zone to enable user ID or UID here that's just to best specify which is zones we want to enable user ID on as opposed to D other zones then we will configure an LDAP server profile which will point to our Active Directory domain controller and then we will configure user ID I use your ID group mappings to specify which groups we want to include in arm in our mapping or our Active Directory authentication and then lastly we will configure the firewall agent so there's a lot of steps here in order to get this going so let's jump on in like I said the very first step we're gonna do here is configure the service route and if we look at our network diagram in my network both the management Network and this network right here are the same however that's not the case in most cases what I want is I want all of my Active Directory authentication to go out that interface so I figured this guy right here which just happens to be Ethernet 1/2 to be my destination for that so we jump into our Palo Alto here and let me zoom in just a little bit and I want to configure the service route configuration and so that is under device setup services and then service route configuration by default it says use the management interface for all of them I want to customize this it's change that for a couple of different protocols so I'm going to specify LDAP I want to change the source interface from the default down to Ethernet 1-2 and I can see the IP address associated with it so ok and then I also want to change the UID agent right down here again to Ethernet 1/2 I add okay so now that everything will be going out that interface let me actually commit that just to confirm that all the traffic going through that interface is working and all right so the next step I want to do is I want to configure user ID on the zone this is on the network zone so that's going to be under network and then the left hand side we choose zones and we choose the zone that we want to enable user ID or that we want to perform user ID authentication on that's going to be my inside zone enabling it is really easy just come up here and check the checkbox right here normally you will be configuring this on your inside zones but there may be a situation where you want to configure on your outside zone your situation may differ all right now we need to configure the LDAP server profile the LDAP server is under device aisle left-hand side if we scroll on down here we see a section called server profiles and one of them is called LDAP this is where we actually start configuring our domain controllers so I'll go ahead and add profile name I'm just gonna call this lab dot local since that's the name of my domain and then the server list I will add and say this will be DC one of my domain and the IP address IP or if a board dns name when I to 168 1.1 T server settings the type is active directory the base DN is going to be D C equals lab comma D C equals local you may need to research exactly how to write those it's DC equals DC equals yeah and then the bind DN is the user who is logging in here this is going to be in the UPN format so it's going to be lab user ID is the user idea of created for this at lab dot local and our password last thing I want to do is right up here I see that this is trying to run on port 389 which is standard LDAP but then down here has a checkbox that says require SSL which is not port 389 that's actually I want to say 636 I may be correct may be incorrect 33 80 something like that so I'm going to uncheck this and say okay and just to confirm I'm going to go back in and at this point where it says the base DNI should be able to click this drop down and it should pre populate for me you can see here how it's already put in a DC equals loud DC equals local except this time the DC's are capitalized that's just the proper way the active directory does it so I'm gonna choose that just because it looks prettier and then say okay to commit in order to save that next thing I want to do now that I have my active directory profile is I want to configure my group mapping or specify which groups I want to map in my Palo Alto still on the device tab on the left hand side we scroll up to see user identification and then in all these tabs we move all over to the right and there's a group mappings section again I will click add just go ahead and call this lab dot local sure server for a file go ahead and specify the profile we just created and then the group include list if we did this correctly when I click the little arrow here on the left hand side it should branch open start showing me all that I'll use and all the users I'm gonna go ahead and just specified domain users and then click plus in order to move it over to the included groups now the group mapping here is basically saying everybody who's in this group will be included in the mapping process I'm just gonna blatantly say domain user so you get everybody that I am concerned with for the time being there's reasons why you want to change that which way we'll talk about it later in another video so now that I've got the group mapping now we need to configure the firewall agent so the way the Palo Alto works is it actually logging in to the domain controller or to the LDAP servers and starts looking through its event logs and other history in order to see who is where on which IP so we need to configure that and that's under the user mapping sub tab here still under user identification user mapping and here we see the user ID agent setup so click the gear icon and here we start off by specifying the user name this can be the same user as what we did with the LDAP server profile except this time it's in domain slash user format so for instance lab dot local backslash lab - user - ID and then again the password all right next thing we want is server monitor and we want to enable the security log so this will actually log into the Windows server and it will look through the security log to see when people have logged in on which devices client probing this will try to probe the clients to see who's logged in we'll leave that disabled and then cache timeout if you're running DHCP you want to enable user ID timeout so that when an IP address changes on a device this will timeout on its own and then be reset later if you're not running DHCP you could uncheck that and okay alright so now that we've set this up to be able to log into the domain controllers we still need to tell it which domain controllers to log into so if we scroll down just a little bit we see a server monitoring section we'll click Add and here we specify our server that we want to log into specified ec1 182 168 1.20 okay and commit if you have multiple DC's in your environment for that server monitoring you would want to include all of them so that will monitor all of them and make sure that captures all the logins for all the users when this finishes what we're looking for here is that the status over here on the right for server monitoring should change to connected connected so I'm gonna go ahead and log off and I'm logging off specifically because the login is what helps trigger the mapping between the user and the password or the user and the IP address so I've logged off I've logged back in just open up a web browser and I will log back into the Palo Alto and while we're at it let's go ahead and just go to google.com just generate some traffic you you you all right so now that we've gone ahead and we've set up Active Directory authentication or user ID and I've logged off and logged back in I generated some traffic over here by clicking on Google now we should be able to on the firewall to be able to click on the monitor tab and our traffic should be mapped to a user ID I do have a filter in here saying hey look specifically on this machine and we can see right here lab slash lab - user is the one who's initiating this traffic I just logged in as lab - user and so we can see yes I was actually the person initiating this traffic so there you go now I can look through my event locks and see exactly what's been happening if I see an issue happening on my environment instead of trying to track down which IP address it might be I can now use the username in order to track down which user was affected and then more effectively resolve their issues

Info

Channel: Ed Goad

Views: 6,669

Rating: 4.8461537 out of 5

Keywords:

Id: l1NBjzYAmZk

Channel Id: undefined

Length: 12min 38sec (758 seconds)

Published: Thu Jun 11 2020