Palo Alto EDU-114: Blocking Threats From Stolen Credentials


Describe authentication and authorization methods supported by the firewall

Configure user accounts for firewall administrators and end users

Define multi-factor authentication implementation methods

Configure the firewall to connect to an MFA server

Configure anti-phishing and user credential submission protections

Summarize the three methods used to break the credential threat attack life cycle

User Authentication

Users connecting to firewall services / connecting to the firewall

Users are required to be authenticated when:

  • HTTP/HTTPS access to the mangement interface
  • HTTP/HTTPS access to the XML API
  • SSH/Telnet to the Command Line Interface
  • Serial connection to the Console interface

Users can be required to authenticate when connecting through the firewall for applications such as:

  • Accessing a website
  • Accessing web mail
  • Accessing share point
  • Accessing Office 365

Supported Autentication Methods

The Palo Alto software can support three types of authentication services: local, external, and multi-factor authentication.

Local authentication without a database (XML configuration) can be used for stored accounts to authenticate logins to the firewall.

With no database however the firewall cannot authenticate traffic flowing through the firewall.

Local with a database can be used to authenticate logins to the firewall, and for user traffic flowing through the firewall.

The firewall can use all external services to authenticate logins to the firewall, and user traffic flowing through the firewall, these are:

  • Kerberos
  • LDAP
  • SAML

Palo Alto software also supports four multi factor authentication venders.

  • Duo V2
  • Okta Adaptive
  • PingID
  • RSA SecurID Access

The authentication services above all require an authentication profile. The authentication profile is used to link a set of users to a specific authentication service.

Only the authentication services that use an authentication profile can authenticate user traffic flowing through the firewall.

Configuring Authentication TO the firewall

Dependant on the configuration of the authentication profile for the user, will determine how users are authenticated to the firewall.

Each user can be configured with their own Authentication Profile that points to an authentication service.

Or alternatively all users can be configured to use the same authentication profile and authentication service.

To configure per-user authentication to the firewall, assign an authentication profile to a user account when they are added to the firewall.

To configure an authentication profile for all users on the firewall, assign an authentication profile to the authentication settings of the firewall under Device -> Setup -> Management -> Authentication Settings.

The all users authentication only supports RADIUS, TACACS+, and SAML

SAML can only authenticate users using web based services.

Configuring Authentication THROUGH The Firewall

The firewall can be configured to authenticate user credentials when users attempt to access network resources through the firewall.

Individual authentication profiles should not be assigned to the individual user or the firewalls authentication settings in this mode

Rather, an authentication profile to an authentication policy via an authentication enforcement object should be created.

An example is that a web form could be presented, that asks the user to fill out a username and password before they can gain access to a resource. The form can authenticate against an LDAP service to determine whether user should get access.

Admin Role Profiles

Admin role profiles control authorisation to manage the firewall.

Dynamic Admin Roles are a built in set of permissions, stating what a user can or cannot do on a firewall using the web interface, CLI, or XML API.

A role based admin roles are a custom set of permissions, that can control users activities on a firewall when the Web, CLI, or XML API permissions are in use.

User Authentication TO and THROUGH the Firewall

A source user I.D. can be set to authenticate users accessing network resources through the firewall on the security policy, if user authentication of traffic flowing through the network has been configured.

Adding a Local, Non-Database Firewall Administrator Account

Step 1 – Create a custom Admin Role if required

Browse to Device -> Admin Roles to create a custom Admin Role Profile.

Although they are predefined role based admin roles on the firewall already, they cannot be modified. Custom addtional roles can be created though to fit around the needs of the administrator

Predefined Roles:

  • Audit Administrator – Responsible for the regular review of the firewall audit data
  • Cryptographic Administrator – Responsble for the configuration and maintenance of the cryptographic elements related to the establishment of secure connections into the firewall
  • Security Administrator – Responsible for the administrator tasks that to not fit into the two other roles of the administrators

Step 2 – Create a local, non-database administrator account

Administrators can be created by browsing to Device -> Administrators

Adding a Local Database User as a Firewall Administrator

Step 1 – Create a user in the local user database

Go to Device, Local User Database, Users, and click Add

Step 2 – Create an authentication profile that links to the local user database

An authentication profile links a username in the authentication service that the firewall must use to authenticate login credentials of a user.

Go to Device, Authentication Profile, and click Add. Select the type ‘Local Database’

Note the selection of type ‘None’ could allowed undesired users to log into the firewall

In advanced settings, the Allow List can permit only certain users to be authenticate by a profile.

The account lockout option can be set from 0 – 10 attempts, to prevent brute force attacks. The default is 0

A lockout time can also be set to specify how long a user is locked out of the firewall for after the failed attempts value has been reached. The range is from 0 – 60. 0 means the account is not unlocked automatically and creates additional work for administrators

Step 3 – Create a custom Admin Role Profile if required

Step 4 – Create an administrator account from a user in the local user database

Go to Device, Administrators, enter the name of the username previously created and select the Authentication Profile as created in Step 2.

Adding an External User as a Firewall Administrator

Step 1 – Create a server profile for the external authentication service

To create a service profile, for example LDAP, go to Device -> Server Profiles -> LDAP -> Add

Step 2 – Create an authentication profile that links to the Server Profile

An authentication profile links the username to the authentication service that the firewall uses to authentication the users login credentials.

The firewall uses an authentication profile to verify user credentials when a user attempts to login to the firewall

The profile is also used when the firewall is attempting to verify user credentials when a user is trying to access a network resource through the firewall.

To add a profile, go to Device -> Authentication Profile -> Add

Step 3 – Create a custom Admin Role Profile if required

Go to Device -> Admin Roles -> Add

An externally authenticated user logging in must be given permissions via an assigned admin role

Externally authenticated users can be given a predefined Dynamic Admin Role Profile, or a custom Role Based Admin Role Profile

Step 4 – Create an Administrator account that links to the Authentication Profile and the Admin Role profile

Go to Device -> Administrators -> Add

The username must match that of what is on the external service.

Adding an administrator that is authenticated by a certificate

Step 1. Create the users certificate

Palo Alto Firewalls support interactive and non-interactive authentication

The certificate based authentication, non-interactive, is only available via web browser

If the certificate of the issuing CA is not added to the clients browser, a warning message is generated by the clients browser when attempting to connect

Note, configuration of certificate based authentication for any administrator automatically disables the username and password logins for all administrators on that firewall

Step 2. Create the firewalls certificate profile

Device -> Certificate Mangement -> Certificate Profile -> Add

Add a CA certificate here for the firewall to verify a users certificate.

CRL and OSCP can be used here to check for certificate revocation status

Step 3. Create a custom Admin role if needed

See previous notes

Step 4. Configure the firewall to peform certificate-based authentication


Step 5. Create a certificate authenticated administrator account

Under Device -> Setup Management -> Authentication , select the Certificate Profile created earlier

Enabling SSH Key-Based Command Line Firewall Access

Key based command line access provides cryptographic strength over passwords, with passwords not needing to be sent over the network and reducing the risk of brute force attacks. It also options the possibility for two factor authentcation.

Key based SSH logins permits automated scripts access to the CLI too.

This can be configured in Device -> Administrators, ticking the box for ‘Use Public Key Authentication (SSH)’

A public key an imported in the field below the checkbox

Preventing use of stolen credentials by using multi factor authentication

The Palo Alto can be used to detect credential leakage when the firewall is configured to use User-ID. If User-ID detects valid corporate credentials being entered, the Palo Alto can consult the URL filtering to see if the category of the website that is being entered with credentials is valid for having corporate credentials being entered into. If it is meant to be prevented from entering credentials, the firewall will block the attempt to enter corporate credentials.

Block is not the only option that can be configured here, the firewall can be permitted to allow credential submission or set to warns the user against submitting the credentials.

The pages can be customised further, in a way that a pop-up could appear to discourage users from reusing their corporate passwords on other legitimate websites

Steps for Configuring Phishing Protection

Step 1 – Configure User-ID on internal-zones

One Example: See Device -> Server -> Profiles -> LDAP

Device -> User Identification -> Group Mapping Setting

Used to determine user are members of which groups

Second Example: See Device -> User Identification -> User Mapping

User-ID agents monitor devices for login and logout events

Firewall-integrated and Windows-based User IDs agents are available

Firewall-integrated configuration is done in this example, in the username field a user that has permission to view event logs on the event viewer should be entered in the configuration

User-ID also needs to know what type of server it is monitoring, this can be set in Devices -> User Identification -> User Mapping -> Server Monitoring -> Add

Step 2 – Configure a URL filtering Profile to block access to known phishing sites

Objects -> Security Profiles -> URL Filtering

Custom anti-phishing response pages can be set by going to Device -> Response Pages and viewing the Anti Phishing Block Page or Anti Phishing Continue Page

Step 3 – Configure a URL filtering profile to control user credential submission

Objects -> Security Profiles -> URL Filtering -> ADD

Weakest matches to strongest matches:

Use Group Mapping:

Detects corporate usernames by comparing to usernames in LDAP User Group

Uses IP User Mapping

Detects corporate usernames by comparing to User-ID IP-to-Username mapping table

Use Domain Credential Filter

Detects corporate usernames and passwords using bloom filters to match credentials

Default Log Severity on a match is set to medium

Step 4 – Add a URL filtering Profile to Security Policy rules







Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.