Palo Alto Networks Global Protect Using Google Workspace as a SAML IdP

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi my name is rob rigger and today i'm going to show you how to connect your user vpn to palo alto networks global connect using google workspace as a saml authentication idp so if you click on this video you've either run across saml in an article you've read you've heard your coworkers talking about it or you're just curious on how you can switch over from your current user authentication method to saml you'll see this more and more as we move from on-prem things like active directory on our local site to cloud-based identity so if that's just your id or or google any of those providers it'll it'll work for you the same principles apply with saml across the board so if we look at what palo alto networks has put in their admin guide we can see that saml breaks down into essentially a six step process right the user connects to global protect who's going to act as a service provider global protect is going to redirect the user back to google who's going to function as our identity provider google's then going to authenticate the user give them a saml assertion piece of information it's an xml file that user is going to turn back around give it to the firewall the firewall is going to know hey they've authenticated they gave me this assertion so i know that i can let them in and give them access when we take a look at what i'm going to do here today i'm going to give you a high level overview of what saml is show you what the dependencies were to get to get this walkthrough up and running then i'm going to list out the steps that i needed to configure in google workspace followed by walking you through those same steps on the admin console next we'll pivot over to panos where i'm going to show you on the firewall what the steps are and then i'm going to also walk you through the gui once we have everything configured on both google and strata i'm going to then go to a test machine log in so that you can see what the login process looks like once you've logged in i'm going to go back to the firewalls and show you in the logs where you can see those connections so that you can become familiar with how to troubleshoot it if you need to so if we look at what saml is it's a security assertion markup language and now that we know the acronym all we really need to understand is it's an open standard to allow pieces of information to get identity authorization and authentication shared between different parties it's broken down into three pieces so we have our end user that's the the person or trying to access the service so if that's global protect if that's a sas application they're the ones trying to initiate the connection then you have your identity provider this is the device or service that stores those user credentials it's going to be what they actually authenticate to so that we can make sure they are who they say they are then we have our service provider the service provider is the object that's providing the service so if that's a sas application if it's a firewall doing clientless vpn or full-blown client vpn they're going to act as a service provider so the dependencies to get this up and running you need to have a strata firewall running panos that's not any on the eol software version so i'm going to be using 10.0.1 in my lab you can use like i said any of them but the the gui might look a little different if you're not on 10. we're also going to need the global protect software if you don't have the software what are the users going to try to connect i'm using 523 in my lab but it should look very familiar to to you if you're a previous global product user we're also going to need a global protect configuration so this would be done beforehand you you either have it in your lab or and you're just trying to swap over from say radius or ldap over to saml all we're going to do is have to make those changes so then you're going to need some google accounts you i was able to get by with the g suite basic and google cloud identity free subscription it didn't take much to get off the ground highly recommend looking into it it's it's a great investment so then what we'll need is an end user to test the device i'm going to be using a windows machine but you can use windows and mac and then if you're looking at leveraging something else such as clientless vpn linux android chromebook ios you will need that global protect license in there to access it on these other devices so from google right we're really just creating a saml application it's as simple as going create adding a custom saml app then we're going to fill in the adp acs url that sounds a lot more intimidating than what it is i broke down the structure but it's really just the fqdn of what the user is trying to access the port followed by the string of characters right forward slash saml2o forward slash sp force acs it's the exact same format you're just swapping out what your fqdn and your port that they're trying to access is and then i have an example listed below of what i'm using in my lab next we have the entry id it's it's almost the exact same format where we have the fqdn the port and then it's four slash saml 204 sp there's going to be a couple of optional parameters you can look at doing in a lab setup you can get away with not changing any of these but what i'm going to do is change the naming and id format from i think it's default to email just because that's what i'm going to use to enter again so we look at the lab itself or i'm sorry the google console so i'm logged in at the the root of the google admin console we can even either navigate down here to apps or we can go hit the top left menu go down to apps and saml apps it's going to take us to the screen so what i'm going to do is i'm going to click on add app add custom saml app you can give it whatever name you want i'm going to give it global protect lab connect for log on this is the metadata that i mentioned that we want to download if you don't download it you can fill out all the information manually but it just makes it really easy just to import it into the palette device so we're going to click continue these are the acs urls and entity ids so i'm going to copy and paste mine in these are based on my portal and gateway configurations i'm just using the same fqdn for both makes it real easy i just have to do one and then i'm going to come down here i'm going to change this to email and then from there i'm going to hit continue i'm not going to do any mappings right now but after i click finish the important thing to understand is by default this isn't turned on for anyone so we can either turn it on universally across the google console or we can do it for just a subset or a group of users i've created a test user group that i'm going to turn it on to so we're going to click into user access click on the group button and now i'm going to test put in my test group click on it click the on button and click save and and that's it that's all we have to do on the google site so moving on we're going to look at what next we have to do on the strata configuration so we have to create a saml identity provider server profile we're going to do that by importing that idp metadata that we saw after that we're going to create the authentication profile that references that service profile so that we know how we're going to authenticate back and what users we wanted to apply to and then after that we're going to apply it to the global project portal and gateway configuration essentially where do we want this authentication type or sequence to be used so looking at that i am over here in my panorama um if if you're looking at it and it looks a little bit different than what you're at the the main difference between panorama and the firewall is going to be the device groups and templates at the top so i'm going to go ahead and click on device go down here to saml identity provider i'm going to click import this is that file that we mentioned we're going to download so once we brought that in we just selected i'm not going to validate the identity provider certificate because i'm just using google's default one there's mechanisms in panos 9.1.3 and later that do that authentication to make sure it is who it says it is without having to do that if you want to upload your own custom search you highly recommend having this validate function on and we can take a look at that so we're going to hit ok once we've done that we are going to go up here to the authentication profile i'm just going to add one called google saml we come down here to the type and we're going to click saml and then select the oops select the idp server profile we just did the import of mine was called google and then from this screen that's all we really need to do except we're going to go over to advanced and say what users we want to apply it to since i'm controlling it based in the google console based on that test user group i'm just going to go ahead and select all users here and then i'm going to go ahead and hit ok from here we just need to pivot over to the network tab and look at our portal and gateway you'll see i have my configuration in here already so i'm just going to click on the portal go down to authentication and then you can see where i'm currently configured for local i'm going to go ahead and click on this and then select the google saml authentication profile that we just built i'm going to hit ok ok and then i'm going to go and do the same thing for the gateway since i want that to be the same mechanism right so when i click on it i'm going to click on my authentication tab and you'll see where i'm at local right now i'm going to click on it and just select this down so i'm doing it universally but you could do it by different users different groups this is just showing you how you would configure it so once we have that set up i'm going to go ahead and click on commit and i'm going to push it out to my lab devices all right once this is done committing we'll we'll take a look at how to deploy that on the or how to launch it from an application all right i'm going to check the tasks and i see that my commit has finished so at this point we're going to jump over to the the test machine so i have my test machine here i'm going to go ahead and have my user login so i'm using the connect before logon feature of globalprotect so down here in the network siding location i'll go ahead and click on that and we can see here's my gateway that our or my portal and gateway configuration that i'm going to connect to once i connect it we can see that i've been redirected this is that that same will redirect here so i'm going to put my user's email address in here password i'm going to put in the the incorrect password the first time to sew in the log entry we see that we'll see that there was a long wrong password and now i've put the correct password in we see that the page goes away this is where i get that same insertion that i'm sending back to the firewall and once the firewall gets set you can see that i'm connected and that's all there is to it from a sample connection so if we now go back and take a look at our logs so your logs are going to be located in two different places we have the system log that's going to show the sample authentication sequence and then we have the actual global protect login to the portal and gateway and i'm going to bring both those up for you so if we go back i've logged into the firewall you'll notice it looks almost exactly like panorama except that template and device group area is missing i'm going to go over to the monitor tab and what i have here is the global protect log up and i just have a couple filters on it just to help it easier for us to look at i have the the auth method equal samol and the stage equal connected and you can see under the off method area we see that it's saml connected for both the portal and the gateway and that the user is connected successfully so now to look at the steps that took place in saml we go down to the system log we are going to change this to 30 let's go ahead and get rid of that time stamp so really what we want to see is this four four step process right so we see the redirect um it received it from the client back afterwards it is valid against the idp certificate this is the important piece that i was that i was mentioning and then we see that they that the same sso authenticated for the user so what we didn't see in this log is that incorrect password attempt because that's all taking place on the identity provider it's it's important to understand right the the palo alto the firewall is only getting back that assertion once the user correctly authenticates so all the rest of that the failed attempts everything would be back in your identity provider log and that's it i hope you learned something today if you have questions please post them down below if there's anything else you'd like to see just feel free to reach out to me i appreciate your time and and thank you
Info
Channel: LearningForFun
Views: 1,708
Rating: undefined out of 5
Keywords:
Id: BANa4rFh1Ck
Channel Id: undefined
Length: 14min 33sec (873 seconds)
Published: Fri Oct 30 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.