PaloAlto Networks Lecture 33: Palo Alto Firewall User-ID Captive Portal

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

our other topic is user id means user identification basically next generation firewall is based on three pillars first one is application we call them app id which we finished yesterday the second one is container id we done before that one and the third one is user id next generation firewall has mainly three features there is a lot of many thing as well but it can monitor in it based on these three things to distinguish and to analyze and to check and monitor your traffic base on application based on user based on content id so we already turned them to the third one is user id we call them user identification so now you can create a policy to allowed and denied traffic based on users based on group based on user and group based on a single user then this user can go to facebook but this user cannot go to facebook and beside this now you can see the traffic which user is going where which user is accessing which thing which user is generating traffic which user is on the top which user is the most session which users so by user is so easy to identify the person rather than by ip anyone can change their ip and ip can be changed normally by dhcp so you cannot identify maybe that user deny no is not me but by user definitely he has to log in through active directory and when he log into their system so it will show that this user is generating this traffic so they it means user id is a technology which provide more visibility more policy control more logging and reporting and forensic use and many other things you can connect your active directory to palo alto firewall and the user will begin from there which we will do in next class today we will do a local user and we'll do one test how it is working so then at least you get idea how the user id is working and you can utilize them in many way by the way user id and this way you can see the report and acc tab which we will do at the end an app scope reporting logging by user id by username and so easy to recognize everything so for this purpose we are using user id and also you can create your own policy by department maybe hr department may be finance department may be marketing department maybe iit department may be engineering department maybe top management may be by anything to allow everything to the top management by user and deny everything to normal user so it's very good yeah to make them easily to integrate them and get more benefit from firewall so we call them a user id but this user id can be deployed in many way it can be a portal maybe some guest user now if someone come to your organization is a guest and you'll say no no no no you cannot go to internet because i need to connect you to you have to first go to active directory to create a user for you then and that user will come login then i will see your traffic no it's not a possible way this is not a good way so for this purpose if you have a guest users either maybe you have some contract either some contractor either some uh user which is work for limited time maybe for one month two month one year maybe two weeks one month and they don't want to join your active directory either it's not possible to allow everyone in through your active directory so for this purpose you can create a captive portal it's like a hot spot when you go to hotel when you go to uh airport so you will see normally at a prompt will come that put your username and password a temporary username and password and you will authenticate and you can use the internet to limited time either they will provide you a username and password in a hotel when you stay here then this is a temporary username and password here in hospital normally when you go to hospital they will generate a username and password and send to your mobile phone and you can use them for one hour and two hour the same thing is we can achieve to parallel to firewall by capture portal it by default it for 60 minutes and if you are not using for 15 minutes it will be the session will be expired and you have to reauthenticate again you can increase the time you can decrease the time there is a sitting as well by by default this is the normal one so capture portal is basically for guest user if a guest user came either some contractor either some other scenario maybe in temporary users and maybe someone locked their pc and they don't want to access internet and many other way so you have to create a captive portal in your palo alto firewall and create some user random user it can be an active directory it can be a local it can be any other radio server take it server it can be anything and then you can authenticate that user to login through your caption portal capture portal is like this one they will put the username and password and when they log in they can use the internet for one hour by default but you can increase the time and everything it will prompt the username and password when they put the correct username and password they can use the internet they will redirect to internet when they connect to your wi-fi when they connect to your lan it will prompt the username and password like this and we you provide them a username and password so it can be a separate vlan so nobody can access your network so these are for the guest or for contractor or for any other user or for someone which is temporary working in your organization so you can provide them internet access by this way either for mobile phone either for laptop either for any other thing which they cannot do other authentication method so you can use the captive portal how to create them so we need to follow some steps in today lecture we will create a user inside but it can be an active directory because we will do it to directly next time so let me open my firewall 122 168 and xp should be my inside system so let me on xp as well which is working like am i inside any guest user or someone 192 168 168 uh let me open my firewall okay this one okay so it's come up username is admin password is admin and let me hear xps now here so let me go to xp and login them okay so basically my firewall is in vmware this one this firewall has two interfaces one connected to ned and the other is connected to host only our net using this one this one leave it the first one first one is the management one net is connected to outside which ranges 192 168.122 and host only is my lane representing and so the net one is using 122 and the other is 140 from where i can find i show you that you can find these range from here go here and you can find them okay so let me go to my network interfaces so the first interface is connected to outside so i assign them 122 range yeah 122. this is my net one so here i assign them 122.100 from this range and this 140 is connected to inside so i assign them 140.100 okay so i have three interfaces the first interface is management one and then the second one is the net one which is using i'm using as a uh when and this is the lane my xp is connected to lane 140.60 and the gateway i give them the firewall ip okay let me go here yeah so 140.60 this range 114.60 but the gateway should be this one and dns is this one okay even alternate vdns is not required anyway why i put them it's okay okay so i can go to internet by the way right now direct because we want to configure anything this is the old topology so it has to go to intended i believe because there is no such thing yes so i can go to internet and i can see the traffic here it will show the source ipn destination and everything yeah 140 is going to allow ya so nothing is fancy is here and everything is working normally okay now i need to configure or tube portal like it will not go directly like this one because i want to use them as a guest user so first thing first let's go to device to create a captive portal i need a user come here local user here is a user and create one user here let me give them any name user one it's up to you password should be one two three you can give them any password and it should be enabled password hash you can type instead of this one you can type the password hash as well okay so i create one user with the name user1 password one two three beside there there is a user group let me create a group as well maybe i have many users but i'm just testing one user here i type user group you can give them any name okay user group so now i have a user group as well and click on this one i forgot to add the user so my user one which i have here i add it here so user one and now user1 is part of the group user group with the name user group this was the first step now i go to again in this device there should be authentication somewhere authentication profile i need to create authentication profile to authenticate the user nothing is there so click on add and create any authentication profile so i say art pro it's up to you whatever name you want to give them type should be local database because i am using local database if it i'm using active but in this case we are using local database and no user domain no nothing no curvrose real time anything because i am using local database factor authentication if you want to enable multi-factor authentication to us like ascendum message and all those things so i don't require go to advanced and add that user group you remember we create them so showing here you can put them all as well and you can put user group and you can put the user as well as up to you but all means everything so this was the second step to create authentication profile to authenticate this users the third step is on the same year user identification below this one this one user identification like a user id here on a user map you have to click on this gear icon and i need to know i don't need this one i need a captive portal here is capture portal i can not see user identification yeah okay yes here kept your portal setting click on this one came to portal setting and this gear icon enable capture portal which is enabled by default this is the ideal time i told you by default if it is not using after 15 minutes it will be log out and the maximum type is time is 60 minute you can increase them how long he can use the internet we are not using secure method otherwise if you want to enable ssl in tls you can create a profile here and attach it but i have authentication profile i just created with the name art profile attach that one we are not using global protect right now we will use so we will use that one there are two mode transparent and redirect transparent it will directly prompt the username and password and transparent and redirect it will redirect to another ip so in my case i it will be redirect to my inside ip 192 168 140.100 which is my lan ip so anybody connect it will be redirect to this ip and it will prompt the username and password but you can use the transparent as well transparent means it will not redirect but directly it will ask if you want authentication through certificate you can do it you need to generate a certificate and install there same like we use them in other lab and these are the time session and division and everything but we don't need and okay leave it as a different this done now i need to go to network and if you remember we done this interface whereas interface management we have two interface management anyway let me go to ping one and here you have to allow response page and also user id to show an user id as well you remember i told you that we will use all these things slowly you already know these are administrators like https telnet but this one has to allow the ping this one is to allow snmp we will do this later response widget will show the response page and also will show the user id that who is logging on this interface so press ok now i need to attach this ping to my lane ip interface so this is my lan one yeah this is my where is inside your length so let me go here and rather than to attach http ping one i need to attach the ping one only ping network interface so let me click on it and go to advanced and here is let me change them to ping one and okay now i need to go to my zones and the zone where the people will connect guys inside because the people will connect inside and go outside i need to click on this one and enable here enable user identification means your user id to show you need to click this one as well and okay now go to object and here is we left one object are you i told you we will do this later on this one authentication click on this authentication there is a default one for portal a capture portal you can utilize this one but you can create your own as well let me create my own otherwise there is a predefined as well so let me ask let me give them any name you can give them any name and which forum you know the form which will be prompt like this one where is this one so it's asking which prompts i say browser waveform this one is will be good and attach your own authentication profile which we done so the form will become like this one the one which is show here and it will ask the username and password which username and password the one we create in our profile in our profile we said ask the local user database and ok the last tip is to create a policy to ask the username and password go to policy we've done a security we done net we policy we will do decryption we done here is implication override we done here is authentication an authentication click add and give them any name guest to internet source should be inside anybody going from inside to outside but the user you can put the user now we have the user user group either you can put the individual user both i put i just otherwise just no need that's why we create a group destination should be outside service should be http and https you can put the many as well and action should be my authentication profile what was web art which i just created and timeout is 60 i told you you can change them log authentication timeout you can send them and for logs anything happen where to send the logs syslogs we will do that later in the course and okay and commit changes this almost done okay let me go through that i done the correct step yeah so we create a user here we create a group with hr when we put the user and here we create authentication profile and put our users then we go to captive portal and attach our authentication portal and enable and redirect and put our ip here we went to uh interface monitoring here we enable this response page and user id and attach to our inside and we enable on the zone enable user identification we create our own and we attach our profile with it and we create a policy here authentication policy inside to outside with these services with r1 and commit the changes now we need a verification from inside system it will last like this and we can see the logs here so i think so it's safe yeah it's safe now we will see the logs here but before enable the logs let me enable from here user id because before we don't have less source user so because we were not using us user id before so this column is empty now we are using user identification so see how let me go to open this browser again before when we open it so nothing was asked now when i type google it will be redirect to my interface all right why it's go let me go buy this one sometime is in history so normally okay so let me go back to my policy security rule deny social networking i don't need this one allow all source okay around destination application any uh it's okay everything is correct i believe it has to ask them so i need to close the browser sometime it's taking from history so let me open another browser it has to ask the same way a user prompt so let me check here by the way it's open here as well does it hitting my policy so let me go here no we are not getting any heads so it means we have done something wrong let me quickly verify uh guest to internet uh let me see my policy does i maybe i done some mistakes so it has to be for every user so i need to remove because user will be asked there so i don't need to put user here that's why that person is going so okay and let me comment changes so it will ask for every users because they will put the username there rather than do i put them by mistake here okay so let them save and we will close the browser as well okay so just wait a minute because in this policy authentication policy we have to get heads for for every user not only hr they will ask later on this user when they're prompted so that's why let's see okay okay it's done now so now let's go back to our browser and open any browser so let me go to google it has to redirect and here we will see the heads if it has say coming so it means yeah now it's coming heads so now it will be redirect to our internal ip and they will ask the username and password okay so we are getting heads and beside this i need to check this browser as well uh detail reload and let me go to this browser as well because this is redirect so sometimes it's properly not working and simulation environment otherwise it has to redirect to our interface okay so [Music] let's open a new browser here yahoo.com it's to show like this one if i give the correct ip by the way let me go to device came to portal and is it 140.100 yes 192.168. 140.100 and let me go to my interface and check the ip dot 100 which is inside and allowed there is a things are allowed sorry so let's come back here still is taking time by the way if it is to be like this one straight away 1 40 dart hunter okay one thing more i need to change maybe it's going to this dns as well for some reason is not redirecting so let me quickly go through in case if we disable decryption because it's decrypting as well and checking so let me disable commit changes even though it's not it's okay it has to work like beside this one but i'm just wondering maybe and we can check the transparent way as well because we have two way one is to redirect and the other ways to use as a transparent so this is redirect host to 192.168.140.100 and the other is transparent so let's see after this if it is not working then we can use a transparent by the way it has to work by both ways yeah it's okay now so click advance and proceed because i don't have a certificate otherwise it will work straight away and here i just need to put user one which i created and want to trace the password so after authentication now i can see the browser otherwise you will not see any browser and you will not go to any browser now yahoo and everything will be working straight away how we know so we can test them by monitor tab go to monitor traffic and here it will show the user now before it was nothing yeah now let's refresh them so the source user should be user one there now yeah now it's showing before because we were not using is any user id now it's showing user one going from inside to outside we're browsing and then go to this website and this is user one the other way we can check them let me go to secure crt and open my this ip with ssh and test name okay to take a ssh to this browser and by command to check it okay let them open yeah here is and we can connect click connect type the ip and user name is admin i want to take ssh to my color to fire one admin is the password because i need to show you from here as well and the command is show user ip ip user mapping so if i make them clear and again so say user one is login showing from here that user one from this ip 140.60 which is my xp ip this one over 40.60 and you can verify from here as well 140.60 so it's showing here that 140.60 user 1 is login this is idle time this is the maximum timeout and one user has only login so you can disconnect and you can connect again and it's also showing here as well so let's prove the tr so instead of using local database we can connect them to uh we create a user here you can create a user too as well the same way the password is one two three but the better approach is to use active directory which we will do in next class and we will integrate the active directory to our firewall and then we will see for many things how we can utilize active directory for administrative purpose and for end user both so in this way i can see the traffic by user as well and later in the course i can see the traffic by user suppose i want to monitor some specific user so i can type and search here like a filter tomorrow he told me they checked fly user because normally an organization we are using by user everything so come here and here is user i say check for user one the traffic for last one hour so here everything will show related to okay let me enter so it will show me the source destination user activity is still not here because it's taking time to come here by the way source ip activity destination ip source region destination global protagon keys which rule he use which location and many things trade activity block activity tunnel activities whatever this user done in last one hour and the same case last one hour last calendar day last seven days and custom last one year and so on you can do it and also for monitoring purpose is easy if he is login so i can see yeah user one is going to this place he done these these things and for many other purpose we can use them that what user user one is doing normalized by our name our own name so we can see all the detail related to user1 so that's why user id and also i can put the policy now by user which we will do in the next class but i am just need to show you this is the last part in security policy which we left you remember application is done now we know general we know source we know destination we know application we know services we know url category and we know action the only thing was left user now i can put the policy by user it's showing me the user that i say that i need to allow it if the source is inside user is user one destination this allowed him what application put the implication put the url category like you said that he just need to go to adult side only user1 i'm just giving you an example so now you can create the policy by name as well now if another user is trying to access this website he will not access whatever rule you create now you can create the rule by user and even by group as well like a hr group he can access these resources can engineering room can access by id can access these so this is the best way and best approach and in next generation firewall to buy application by user id and at the end is content id which we've done this one containery so all these things is now almost clear to you why we people need a next generation firewall

Info

Channel: WE-Learns

Views: 362

Rating: undefined out of 5

Keywords: PaloAlto, Network Firewalls, Networks, Microsoft Office 365, M365, O365

Id: Ai89XNFwzpI

Channel Id: undefined

Length: 37min 31sec (2251 seconds)

Published: Mon Jan 25 2021