Objectives:
Describe authentication and authorization methods supported by the firewall
Configure user accounts for firewall administrators and end users
Define multi-factor authentication implementation methods
Configure the firewall to connect to an MFA server
Configure anti-phishing and user credential submission protections
Summarize the three methods used to break the credential threat attack life cycle
User Authentication
Users connecting to firewall services / connecting to the firewall
Users are required to be authenticated when:
- HTTP/HTTPS access to the mangement interface
- HTTP/HTTPS access to the XML API
- SSH/Telnet to the Command Line Interface
- Serial connection to the Console interface
Users can be required to authenticate when connecting through the firewall for applications such as:
- Accessing a website
- Accessing web mail
- Accessing share point
- Accessing Office 365
Supported Autentication Methods
The Palo Alto software can support three types of authentication services: local, external, and multi-factor authentication.
Local authentication without a database (XML configuration) can be used for stored accounts to authenticate logins to the firewall.
With no database however the firewall cannot authenticate traffic flowing through the firewall.
Local with a database can be used to authenticate logins to the firewall, and for user traffic flowing through the firewall.
The firewall can use all external services to authenticate logins to the firewall, and user traffic flowing through the firewall, these are:
- Kerberos
- LDAP
- RADIUS
- TACACS+
- SAML
Palo Alto software also supports four multi factor authentication venders.
- Duo V2
- Okta Adaptive
- PingID
- RSA SecurID Access
The authentication services above all require an authentication profile. The authentication profile is used to link a set of users to a specific authentication service.
Only the authentication services that use an authentication profile can authenticate user traffic flowing through the firewall.
Configuring Authentication TO the firewall
Dependant on the configuration of the authentication profile for the user, will determine how users are authenticated to the firewall.
Each user can be configured with their own Authentication Profile that points to an authentication service.
Or alternatively all users can be configured to use the same authentication profile and authentication service.
To configure per-user authentication to the firewall, assign an authentication profile to a user account when they are added to the firewall.
To configure an authentication profile for all users on the firewall, assign an authentication profile to the authentication settings of the firewall under Device -> Setup -> Management -> Authentication Settings.
The all users authentication only supports RADIUS, TACACS+, and SAML
SAML can only authenticate users using web based services.
Configuring Authentication THROUGH The Firewall
The firewall can be configured to authenticate user credentials when users attempt to access network resources through the firewall.
Individual authentication profiles should not be assigned to the individual user or the firewalls authentication settings in this mode
Rather, an authentication profile to an authentication policy via an authentication enforcement object should be created.
An example is that a web form could be presented, that asks the user to fill out a username and password before they can gain access to a resource. The form can authenticate against an LDAP service to determine whether user should get access.
Admin Role Profiles
Admin role profiles control authorisation to manage the firewall.
Dynamic Admin Roles are a built in set of permissions, stating what a user can or cannot do on a firewall using the web interface, CLI, or XML API.
A role based admin roles are a custom set of permissions, that can control users activities on a firewall when the Web, CLI, or XML API permissions are in use.
User Authentication TO and THROUGH the Firewall
A source user I.D. can be set to authenticate users accessing network resources through the firewall on the security policy, if user authentication of traffic flowing through the network has been configured.
Adding a Local, Non-Database Firewall Administrator Account
Step 1 – Create a custom Admin Role if required
Browse to Device -> Admin Roles to create a custom Admin Role Profile.
Although they are predefined role based admin roles on the firewall already, they cannot be modified. Custom addtional roles can be created though to fit around the needs of the administrator
Predefined Roles:
- Audit Administrator – Responsible for the regular review of the firewall audit data
- Cryptographic Administrator – Responsble for the configuration and maintenance of the cryptographic elements related to the establishment of secure connections into the firewall
- Security Administrator – Responsible for the administrator tasks that to not fit into the two other roles of the administrators
Step 2 – Create a local, non-database administrator account
Administrators can be created by browsing to Device -> Administrators
Adding a Local Database User as a Firewall Administrator
Step 1 – Create a user in the local user database
Go to Device, Local User Database, Users, and click Add
Step 2 – Create an authentication profile that links to the local user database
An authentication profile links a username in the authentication service that the firewall must use to authenticate login credentials of a user.
Go to Device, Authentication Profile, and click Add. Select the type ‘Local Database’
Note the selection of type ‘None’ could allowed undesired users to log into the firewall
In advanced settings, the Allow List can permit only certain users to be authenticate by a profile.
The account lockout option can be set from 0 – 10 attempts, to prevent brute force attacks. The default is 0
A lockout time can also be set to specify how long a user is locked out of the firewall for after the failed attempts value has been reached. The range is from 0 – 60. 0 means the account is not unlocked automatically and creates additional work for administrators
Step 3 – Create a custom Admin Role Profile if required
Step 4 – Create an administrator account from a user in the local user database
Go to Device, Administrators, enter the name of the username previously created and select the Authentication Profile as created in Step 2.
Adding an External User as a Firewall Administrator
Step 1 – Create a server profile for the external authentication service
To create a service profile, for example LDAP, go to Device -> Server Profiles -> LDAP -> Add
Step 2 – Create an authentication profile that links to the Server Profile
An authentication profile links the username to the authentication service that the firewall uses to authentication the users login credentials.
The firewall uses an authentication profile to verify user credentials when a user attempts to login to the firewall
The profile is also used when the firewall is attempting to verify user credentials when a user is trying to access a network resource through the firewall.
To add a profile, go to Device -> Authentication Profile -> Add
Step 3 – Create a custom Admin Role Profile if required
Go to Device -> Admin Roles -> Add
An externally authenticated user logging in must be given permissions via an assigned admin role
Externally authenticated users can be given a predefined Dynamic Admin Role Profile, or a custom Role Based Admin Role Profile
Step 4 – Create an Administrator account that links to the Authentication Profile and the Admin Role profile
Go to Device -> Administrators -> Add
The username must match that of what is on the external service.
Adding an administrator that is authenticated by a certificate
Step 1. Create the users certificate
Palo Alto Firewalls support interactive and non-interactive authentication
The certificate based authentication, non-interactive, is only available via web browser
If the certificate of the issuing CA is not added to the clients browser, a warning message is generated by the clients browser when attempting to connect
Note, configuration of certificate based authentication for any administrator automatically disables the username and password logins for all administrators on that firewall
Step 2. Create the firewalls certificate profile
Device -> Certificate Mangement -> Certificate Profile -> Add
Add a CA certificate here for the firewall to verify a users certificate.
CRL and OSCP can be used here to check for certificate revocation status
Step 3. Create a custom Admin role if needed
See previous notes
Step 4. Configure the firewall to peform certificate-based authentication
and
Step 5. Create a certificate authenticated administrator account
Under Device -> Setup Management -> Authentication , select the Certificate Profile created earlier
Enabling SSH Key-Based Command Line Firewall Access
Key based command line access provides cryptographic strength over passwords, with passwords not needing to be sent over the network and reducing the risk of brute force attacks. It also options the possibility for two factor authentcation.
Key based SSH logins permits automated scripts access to the CLI too.
This can be configured in Device -> Administrators, ticking the box for ‘Use Public Key Authentication (SSH)’
A public key an imported in the field below the checkbox
Preventing use of stolen credentials by using multi factor authentication
The Palo Alto can be used to detect credential leakage when the firewall is configured to use User-ID. If User-ID detects valid corporate credentials being entered, the Palo Alto can consult the URL filtering to see if the category of the website that is being entered with credentials is valid for having corporate credentials being entered into. If it is meant to be prevented from entering credentials, the firewall will block the attempt to enter corporate credentials.
Block is not the only option that can be configured here, the firewall can be permitted to allow credential submission or set to warns the user against submitting the credentials.
The pages can be customised further, in a way that a pop-up could appear to discourage users from reusing their corporate passwords on other legitimate websites
Steps for Configuring Phishing Protection
Step 1 – Configure User-ID on internal-zones
One Example: See Device -> Server -> Profiles -> LDAP
Device -> User Identification -> Group Mapping Setting
Used to determine user are members of which groups
Second Example: See Device -> User Identification -> User Mapping
User-ID agents monitor devices for login and logout events
Firewall-integrated and Windows-based User IDs agents are available
Firewall-integrated configuration is done in this example, in the username field a user that has permission to view event logs on the event viewer should be entered in the configuration
User-ID also needs to know what type of server it is monitoring, this can be set in Devices -> User Identification -> User Mapping -> Server Monitoring -> Add
Step 2 – Configure a URL filtering Profile to block access to known phishing sites
Objects -> Security Profiles -> URL Filtering
Custom anti-phishing response pages can be set by going to Device -> Response Pages and viewing the Anti Phishing Block Page or Anti Phishing Continue Page
Step 3 – Configure a URL filtering profile to control user credential submission
Objects -> Security Profiles -> URL Filtering -> ADD
Weakest matches to strongest matches:
Use Group Mapping:
Detects corporate usernames by comparing to usernames in LDAP User Group
Uses IP User Mapping
Detects corporate usernames by comparing to User-ID IP-to-Username mapping table
Use Domain Credential Filter
Detects corporate usernames and passwords using bloom filters to match credentials
Default Log Severity on a match is set to medium
Step 4 – Add a URL filtering Profile to Security Policy rules
Leave a Reply