Can't find what you need?

• Ask the Community
• Create a Case
Reset Search



Setting up A3 and Palo Alto Networks User-ID

« Go Back


TitleSetting up A3 and Palo Alto Networks User-ID
The goal of this exercise is to enable the Palo Alto Networks firewall to create identity-based security rules instead of subnet/VLAN/host-based rules. This creates a system that makes decisions based on the identity of the user, no matter what device they use.
  • A3
  • Palo Alto

Setting up A3

  1. Log on to the management interface of A3 and head over to configuration à integration à Firewall SSO
  2. Click ‘add firewall’ and chose Palo Alto (this should be Palo Alto Networks, I know they are very picky about that)
  3. Type in the IP-address or hostname of the firewall’s management interface, chose vsys1 if you are not using Virtual Systems on the firewall (multitenant environments), or chose the vsys you want to configure User-ID for.
  4. Leave transport to http and port to 443.
  5. To create the token (secret or key), use the following URL format:

Note: A security best practice is to create a separate local account on the firewall to generate the token, and to not use the default admin account.
  1. Under roles, choose the roles you want to forward the User-ID to the firewall.
  2. Define the subnets on which SSO will apply.
  3. It is possible to overload the firewall with the User-ID updates, depending on the box and the number of users. Choose ‘cache updates’ if you see this happening. It creates pauses between updates. You can play around with this by changing the ‘Cache timeout’ field.
  4. Normally, the default username format should be alright, but ‘Username format’ allows you to change the format of the username before it gets sent to the firewall.
  5. I would recommend filling in the Default Realm. If this is not included in the authentication, without this option it will not be sent to the firewall. If this happens, there is a big chance that the username that’s sent over cannot be checked with by the firewall using LDAP, and no match will take place. Ultimately, this makes the user not match any firewall rule and will make it impossible to communicate with other zones (to internet for example).

Example of the configuration

User-added image


The User identity of the users authenticating to A3 are now shared with the firewall:
User-added image

Setting up the Palo Alto Networks firewall

If A3 is set up correctly, the users will now show up in the Palo Alto Networks firewall monitor tab à traffic, ‘Source user’ column. In order to create user-based firewall policies, you will need to enable the firewall to connect to the domain using LDAP and set up WMI authentication. You can set up the firewall according to the documentation which can be found here:
Additional notes



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255