Wednesday, 24 May 2017

How to Set Up Secure Communication between Palo Alto Networks Firewall and User-ID Agent

Starting from PAN-OS 8.0, we have an option to have a secure communication, with the help of certificates, between the firewall and the User-ID Agent.

NOTE: This requires the firewall to be on PAN-OS 8.0 (or later) as well as the User-ID agent to be on 8.0 (or later).

In this process, the UIA (User-ID Agent) will present a certificate to the firewall to validate. The firewall will check this certificate as per the certification profile configured. If it passes all the checks in the certificate profile, the firewall will accept the connection from the UIA. This can ensure safety against "rogue" UIAs.


Here's a step-by-setup walkthrough to configure this:

1. Launch the UIA, you should see a new option called 'Server Certificate':
UIA blankbetter.JPG

2. We need to create a new CSR for the UIA and get it signed by either an external CA, in-house CA or a self-signed certificate present in the firewall. (Note: We will need the CA certificate to be present on the firewall so we can use it in the Certificate profile and validate the UIA's certificate).

3. Once we have a certificate, we can import it in the UIA along with its private key. Make sure to commit the configuration.
UIA cert import.JPG
  
4. Create a new certificate profile and use the CA used to sign the UIA's CSR.

5. You should see a new tab under Device >User Identification, called 'Connection Security':
connection Security tab 1better.JPG

6. Choose the certificate profile created in step 4.

7. If the commit goes well, you should see the UIA connected successfully with the firewall.
connect-agent-success.JPG
connect-agent-success2.JPG


Failure Scenario


If an incorrect or no certificate is present on the UIA while Connection Security is enabled on the firewall, you will see the following log entry in the System (and userid) logs:
connect-agent-failure.JPG
For the same failure, on the agent, you would see the following logs (under Monitoring->Logs):
UIA failurebetter.JPG

Hope this helped. Stay safe!

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...