Palo Alto Firewall Windows User-ID Agent Lab using VMware Workstation

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey guys welcome to MBT talker my name is Matt yes I know it's been a while since I've created any new content but I'm back in this video I'm gonna show you how to configure Palo Alto Networks user ID feature on the next-generation firewall using VMware Workstation so in my earlier Palo Alto firewall app using VMware Workstation video I showed you guys how to set up a next-generation firewall with basic connectivity along with internet access if you haven't watched that video yet make sure you do it as this is a prerequisite before attempting this lab this lab uses the same foundations however as I create more videos I will be adding more advanced features along the way Palo Alto Networks user ID technologies purpose is to identify all users on the network by user names and user groups and in turn associate IP addresses with use names this improves visibility of application usage based on users rather than just their IP addresses user names and groups can be tied to security policies that ensure users can only have access to applications that are needed for them to perform their day-to-day tasks and applications that have been sanctioned by their organization so there are different ways to collect and map user information for example we could use the pan OS integrated user ID agent that runs on the firewall or we could use the windows-based user ID agent that runs on the domain member which collects IP addresses to user name information which is sent to the firewall both the windows based and pan OS integrated agent perform the same basic tasks but they use different communication protocols suiting them to different environments for a deeper dive into the user ID technology take a look at the panel s administrator guide I'll leave the link down in the description in this user ID lab I'm going to be covering the windows-based agent which is a server monitoring mapping method as you can see in topology diagram a new DC security zone has been created this is where the Active Directory server will reside once the next-generation firewall is configured with the lab ejectives the Windows client will be able to communicate from the user zone to the DC zone the user ID windows agent will collect IP address - username information and send it on to the firewall these are the lab prerequisites so we need a Windows 2016 server up and running in VMware Workstation with Active Directory installed the client machine needs to have access to the Internet a test domain account is required for the next-generation firewall to communicate with the LDAP server a test service account is required for the Windows user ID agent now let's go through the lab objectives so an additional virtual network needs to be created in the VMware network editor this is for the new DC security zone the client and server will need to be on separate security zones using different subnets the Windows client needs to be successfully joined to the Windows domain user ID will need to be enabled on the source DC and user zone only not enabled on the untrusted zones configure an LDAP server profile to define how the firewall communicates with the LDAP server download and install the Windows user ID agent MSI from support Palo Alto Networks comm configure Active Directory group mappings to be used by user ID configure our very far the user ID agent connectivity configure a security policy action based on the source user or group verify user traffic traversing your firewall by viewing the firewall logs okay so let's begin by opening the VMware Edit so if you click on the windows button and then just type in editor I learn in to run this's administrator but yes and what we're gonna be doing is adding a new network so this is going to be virtual network eight click ok so I'm not gonna be using DHCP so I'm going to uncheck that but what I'm gonna do is assign a new subnet looking at the diagram it was 10.4 top-40 on a slash 24 subnet and then click apply and then ok now the next thing we need to do is go into vmware workstation itself and assign the new virtual network to the firewalls so let's click on the first file and we're going to go into settings and then as you can see we have got the last network I think that's for the H a is VM net 7 so we're just gonna add a new network in here so we're gonna click on network adapter we're gonna assign the new VM net 8 to the file there and then click OK and then let's do the same on firewall to go to add network adapter finish custom specific virtual network and then beyond there 8 and then click OK now I don't know if you remember but if you watch my previous video you know that in order for the Palo Alto to boot up we need to make sure that the virtual adapter or virtual device is the right type so we need to go edit the vmx file so you need to go where your virtual machines are stalled now mine's in on this PC documents virtual machines and then I'm gonna go into the into the first file and I'm looking for the vmx file I've got a notepad plus plus in store so I'm going to edit it with that so what we're looking for is the new ethernet 8 interface which should be in here have to scroll through and take a look so we're looking for Ethernet it's gonna be see that 7 isn't it on here 7 so as you can see there you go Ethernet 7 it's assigned to VM there 8 now we need to make sure that the the virtual device like Ethernet 4 is set to vm x net 3 so if that's the the virtual device type so we need to copy that up and then we need to edit this one and then paste and then just save that and then that's done and then we need to do the second one so if we go to the to the passive firewall and then look for the vmx file again and we're gonna edit that so it's down at the bottom so as you can see Ethernet 7 which is assigned to be on their aid so we're going to change that a 1000 motion device to vm x net 3 and then hit hit save and that's dead so we should be able to boot those files up and no problems now so I'll do that so let's let's power on this one the primary first and then we'll power on the passive so I'll let those boot up and get back to you in a minute okay so both the firewalls have successfully booted up so we can login now to complete the configuration and we can move on with the lab objectives so let's go into network we're going to go into zones and what we're going to do is add the new DC or datacenter zone so it's going to be called DC and we're going to change that to a layer 3 we're going to enable user identification and we're going to click OK I'm going to make a few changes to the to the name of the other zones so outside I'm going to change to untrust and the inside is going to be users and then I'm just gonna leave p.m. said and you got to make sure so we've got yeah enable user ID on there and don't forget to do on on the users zone as well and then we need to go into interfaces and then we can go to Ethernet 1/7 this is where the VM net 8 has been assigned to I'm going to change the interface type to layer 3 and we're gonna sign it to virtual root of 1 so VR 1 and security zone for this interface is going to be DC then click on ipv4 to add the IP address which is 10 dot 4 dot 4.25 4/24 and then click on advanced and we're going to assign an existing management profile so that we can ping from the Windows Server just to test connectivity to the interface and click ok so that's that then so if we commit those changes and then once this is done we should see the interface come up and the links they will turn to green and then we can move on to the Windows 2016 server and check connectivity so inside VMware Workstation we're gonna just check the settings are on the server so we're gonna go into settings I'm just gonna confirm that the network adapter has been assigned to BM then 8 which has so just got to make sure that's correct so the Active Directory server is gonna be within the data center zone or the DC zoo and the Windows 10 client or whatever plan you're using should be in the user zone what we're gonna do now is just do a quick ping test just to confirm we've got connectivity to the firewall so let's just ping 10 dot 4 dot 4 dot 2 5 4 and there we go that's good so that means our configuration so far is good and we are happy we can now go back to the firewall and configure a simple security policy to allow east-west traffic between the user zone and the DC cerner for a DC zone today to the user zone so let's go and do that now ok so we're back at the firewall dashboard what we're gonna do now is create a simple policy so under the policies tab security click Add we're just going to call this east-west the source I'm gonna do this bi-directional so ultimately I'm going to put users and DC and then destination DC and users this is going to allow traffic to flow between the zones in either direction so uses DC and DC users application any and I'm going to put this any as well this is just going to allow us to do the testing with the user ID in future videos I'm going to you kind of explore how to make these security policies a lot more restrictive and only and so that we don't have missive rules in the rule base so for the time being we're just going to leave that like that and then I'm going to change the name of this this is gonna be I'm just gonna call this Internet Internet traffic and then the source we're gonna have to add the DC to this as well and also we're gonna need to change the NAT role as well because then that rule won't know anything about the DC so we're gonna assign the DC to the source oh and him exists in that policy this this rule was done in the original lab so if you wanted to know how to set that up then and make sure you watch that video so just go back to the security policies so we've got Internet traffic so this is going to allow traffic out from the DC end-user zone to the end trust zone any application a moment no application default in this case east-west traffic is skill allow user to datacenter datacenter user traffic as I said very permissive and but we can revisit this in a later lab under the into zone default you can see that the there isn't any logging turned on so what you need to do is just highlight the rule and then click on override down the bottom here and go into actions and then just take the log accession and this will now log any denied traffic which you can be able to see in the monitor trap in the monitor tab and then when once you've done that click commit and then we can wait for that to to finish and then we can pop back to the VMware Workstation and we're gonna go and check the Windows 10 client settings and just confirm that it's set up properly and if we look at the network adapter it's still assigned to the original what was the inside zone which is now the user zone so VM net 3 so as long as it's set to be a VM net 3 and that's assigned to user zone that's correct I can click OK so what we're gonna do now is do a quick test from the Windows 10 clients and just make sure that we can ping the new Windows 2016 server on the on the D Cesar should have an IP of thoughtful dot 100 which it has so that's good so that's working and then if we were to flick over to the Windows Server 2016 and do the same the other way we can check the final rule is allow it traffic in both directions so we're gonna ping 10.33 10 I thought it's 3.3 got 10 let me just confirm that Windows 10 so let's do I P config ipconfig /all 3.3 days so must have a Windows Firewall on here but let's just turn that off it is a lab environment Windows Firewall click on that and you can see let's turn turn off let's just turn off don't need that in the lab environment so let's try that test again go back to Windows Server 2016 and I will just try that ping test again and there we go so let's go back over to the firewall and we can take a look at the logs and we should see traffic so we got users to enter s so that's going out to the Internet we got DC to DC so you've got a looks like a broadcast there DC to users and let's just filter this down so we've got DC to users so if you click on any one of these zones it will build a filter log built in here and then it can filter on the traffic so you can see we've got DC two users there's the pink we take that out and then hit return it should then now we want from users to DC and there you go you can see the ping going in the other direction so that's all working the way I expect it to the next thing we can do is start configuring the LDAP server profile and start configuring user ID and testing so let's get on with that now so before we move on to the LDAP and user ID configuration we need to make sure that the Windows 10 client has joined it to the Windows domain so let's go and check the IP details out first so I'm just gonna click on this icon down here and go to network and Internet settings and then I'm going to click on Ethernet and then change the Dutch adapter options right click on on Ethernet 0 and then properties then go into tcp/ip v4 and just confirm that your domain controller on your Windows 2016 server IP is is populated in here and then click OK we've already verified connectivity across the firewall so shouldn't be a problem and then I'm gonna go on to file explorer and this PC properties and then we're going to go in and change the domain name from the workgroup there and we're going to click on domain and then I'm going to be putting in MB tick dot local and then click OK and that's good sign we've got an authentication box so I'm just gonna authenticate and then click OK so there we go so the client is now successfully joined the domain click OK and we're going to need to restart before the changes to take effect so let's do that now so we can now move on to the LDAP and user ID configuration so let's move on to that now so going back to the lab prerequisites we need to make sure we've got the right account setup for the next generation of firewall to communicate with the LDAP server and also for the Windows user ID agent to run as a service so if I go to server manager tools Active Directory users and computers and in the managed service accounts folder you can see I've got an account called pan FW admin I actually just use this one account to do both of these tasks so I'm just going to show you how I've got this account set up and which groups it's a member of so you need to take a note of this so this account is a member of the administrators disputed com domain users event log readers and server operate groups so that's what I use in this lab environment but just as a caveat there are multiple ways of setting this up in terms of making sure that it's secure and making sure it's completely hardened but because this is a lab environment this is how I've got a setup but it's worth reading the documentation the administrator's guide to make sure you understand how to set up set this up in a production environment so that's good so I'm just going to click OK on there and then I'm just going to show you in the windows administrative tools if we go into the local security policy we look at the local policies user write assignments and then we're going to look for the log on as a service you can also see that the pan FW admin has been added to this this is for the user ID agent to run properly so make sure you've got this set up correctly as well but that's what you should that's what you'll need to to successfully complete this lab and get user ID agent up and running ok so from the Windows Server it would be a good opportunity to test your internet connectivity because you need to head over to support Palo Alto Networks comm and log in with your your account you're going to need an account to be able to download the user ID agent so once you're logged in you need to go over to the on the left-hand side there's an update section and then in the drop down list you're looking for software updates and then at the top then there's a drop down to choose user identification agent and I've already done this so you should be able to easily find the file if we go into my down low folder this is the version I'm using so it's the user agent in store 8.11 3-5 so if you download the same one as me then you shouldn't have any problems so what you're gonna do then once you've downloaded it is just run the exe and just click Next Next Next and then close it's as simple as that then the next thing we're going to do is we're going to click on the windows icon and then we're going to go to we're gonna search for services and then we're going to click on services and let's open the window up with bigger and what we're looking for is the user ID service there we go so user ID agent if we just double click on that it's run in the moment I'm going to stop it and I'm gonna and then I'm going to use a specific account now should be able to use so if you remember what I said I used the that when one account for both the agent and the LDAP so I'm just going to click check names and it auto populates my plan fw admin account and then I'm gonna click OK and then I'm going to put my password in so and then click apply and then okay and should be able to start that service and as long as your accounts got the right privileges it should start up fine so that's looking good I can close that window now if I now go and look for the user ID agent application and open that up we can go to setup and I'm going to edit now I'm just gonna put the same user name in there which is pan FW admin and then I'm just gonna put the person in again and then click OK and basically that is now waiting for a connection from the firewall and once the firewall once the Palo Alto next-generation foul connects to the agent as we've configured it we should then see it's the end of the discovery section we should be able to see the the servers so the firewall in there and itself its actual network that the actual servers interfaces and subnets not the actual file where it's actually the the server's information that be public we'll come back to that but for the time being we can just check that that's running so the agent is running so that's all set up ready to go so now it's on to the firewall configuration so we can configure the LDAP server profile and the actual user ID set up so let's head over there now okay so we're back at the firewall let's move on to the LDAP and user ID configuration so let's click on a device tab and then we can go to the server profile and LDAP and then let's click Add and give the profile a new name so I'm just going to call it LDAP ad server and then add the service name in here WS lab ad and the IP address turned up 4.4.1 hundred we're gonna need the port the default three eight nine configuration in the server settings we're going to use a drop-down and go to Active Directory and abased the end is going to be DC equals M be tech comma DC equal local now this also needs to be changed to whatever your domain is clicking the blue area because then it takes the takes the name I've had it where you put it in and you move to the next white space and it deletes it so just click into the blue area the bind DN is essentially the username that we set up earlier so in my case it was an fw admin at mb tech dot local and the password that i used earlier and again and then uncheck quite SSL I'm not going to be encrypting the user ID communication between the firewall and the server in my lab but in production environment this definitely needs to be done just have a look at the panel s administrative guide and have a read through that just to make sure that you secure that traffic click OK and then what we can do next is go into user identification and we're going to user ID tab I'll sort and user ID agents tab click ads and then we're gonna give it the real name of the server again WS lab ad and its host and port on this and the host IP address is 1000 4.4 or 100 and the default port for the user ID agent is five thousand and seven and we're gonna use users LDAP proxy to make sure that state and then click ok we can move on to the group map in settings click pad and again I'm just going to add the real name of the server just for ease I mean you can choose your own naming convention it's just a name the rear slab ad and then we're going to select the server profile that we just created a few seconds ago and then we can go into the group include list and then when this is committed we should see the groups pop up in there it's gonna fail at moments we haven't committed and then just click OK and one final thing we need to do which is really important is going to set up in services and then under service features we go we need to go into the service of root configuration now if we just read this service route configuration news management interface for all I means any kind of network service or services that the file is running will all source from their management interface but we don't want that for user ID so we're gonna customize it and then we're gonna have a look through the list and we're going to be looking for the user ID agent click on that and then the source interface is going to be Ethernet 1/7 which is what is connected to our server so in the DC zone and all communications then will be sourced from the interface IP address 10.4 door 4 2 5 4 and then click OK and then ok and then we can commit that change so now that's being committed we can now go and check out the status of the LDAP connection or the user ID connection so we go to user ID we go to user ID agents you can see now the connection to the the Windows server running the user ID ID agent is now connected because of the green lights if you get anything a red light then there's no wrong check your Windows Firewall check that you've got your username and password correct all those normal troubleshooting steps but if you have followed along what I've done in the lab you should get a green light so ultimately that's that's that's connected and if we go back into group mapping settings and click on the name and then go to the group include list we should now get a list of all the the Active Directory groups I'm going to add the domain users in it into the included groups box on the right hand side this then will be available in security policy and any users that are in this group will show up our source users in the rule base so in the security policies which then you can be very granular with your security policies so I'm going to click OK I'm going to commit that so while that's dinner I was gonna pop over to the Windows 10 machine sorry no the windows 2016 machine I'm gonna log back in just going to show you that I've got a test account set up so I got Tony Stark he's now part of the the the lab set up he's just a domain user so I'm going to log in with Tony Stark on the Windows 10 machine and then hopefully we should be able to see Tony Stark show up in the locks and we should be able to then create a policy to to enforce some sort of security you know permit or deny Tony Stark on which applications are what what he's allowed to do basically so we're just going to login so he's successfully logged in and we should be able to open up a browser and go to Google BBC News so we know that's working from that user now if we go back to the firewall we should go be able to go to the monitor tap and and then now if we see we have now I've got user ID working we can see that Tony Stark has logged in and is currently accessing the internet through the firewall so if we wanted to create a policy we could simply click Add and we can say Brock Facebook and then we could then source it from the users own and now we have the option to select a user we can go in here but what we could then be very granular and then add tea stock as a source user destination to the untrust application we could now block Facebook the Facebook base application default actions and then we're gonna block him or deny him and then click OK then we'll move that one up to the top and then we're gonna commit so that's now committed successfully if we go back to the Windows 10 machine we go to Facebook let's take through Google and if we go to Facebook and try and log in can't connect if we go back to the firewall logs I'm filtered just on Tony you can see there he's tried to login to Facebook but it's been denied so that that is now a completed user ID installation it's working properly as you can see I hope this has been useful and you found it interesting if you've got any comments please leave them in the comment section below if you liked the video please subscribe I'll be making more videos about Palo Alto next generation firewalls going forward thanks very much and see you soon bye okay guys that's it for today's video thanks for watching over the next coming weeks I will be uploading more videos where I'll be sharing more content about the Palo Alto firewall features and technologies and how to configure them if you liked this video I'm sure you know what to do by now but just in case you don't please hit that like button below and share with your friends and be sure to hit that subscribe button and the bell to get notified every single time I post a new video if you have any ideas or video content you want me to create please put them in the comments below as I would love to hear your feedback on any aspect of my channel please keep watching and I will see you in the next video thanks you [Music]

Info

Channel: MB Tech Talker

Views: 2,788

Rating: undefined out of 5

Keywords: NGFW, Palo Alto Firewall, Palo Alto NGFW, vm series, vmware workstation, user-id palo alto, user-id agent setup, Windows User-ID agent, palo alto user-id setup, Palo Alto User-ID, palo alto user-id agent, palo alto networks ngfw, PAN NGFW, firewall palo alto, vm-series labs

Id: hBFum5k7LWE

Channel Id: undefined

Length: 39min 20sec (2360 seconds)

Published: Mon Jul 06 2020