Setting up A3
https://[MGT-IP-Address]/api/?type=keygen&user=[adminaccount]&password=[password]Note: A security best practice is to create a separate local account on the firewall to generate the token, and to not use the default admin account.
- Log on to the management interface of A3 and head over to configuration Ã integration Ã Firewall SSO
- Click â€˜add firewallâ€™ and chose Palo Alto (this should be Palo Alto Networks, I know they are very picky about that)
- Type in the IP-address or hostname of the firewallâ€™s management interface, chose vsys1 if you are not using Virtual Systems on the firewall (multitenant environments), or chose the vsys you want to configure User-ID for.
- Leave transport to http and port to 443.
- To create the token (secret or key), use the following URL format:
- Under roles, choose the roles you want to forward the User-ID to the firewall.
- Define the subnets on which SSO will apply.
- It is possible to overload the firewall with the User-ID updates, depending on the box and the number of users. Choose â€˜cache updatesâ€™ if you see this happening. It creates pauses between updates. You can play around with this by changing the â€˜Cache timeoutâ€™ field.
- Normally, the default username format should be alright, but â€˜Username formatâ€™ allows you to change the format of the username before it gets sent to the firewall.
- I would recommend filling in the Default Realm. If this is not included in the authentication, without this option it will not be sent to the firewall. If this happens, there is a big chance that the username thatâ€™s sent over cannot be checked with by the firewall using LDAP, and no match will take place. Ultimately, this makes the user not match any firewall rule and will make it impossible to communicate with other zones (to internet for example).
Example of the configuration
The User identity of the users authenticating to A3 are now shared with the firewall:
Setting up the Palo Alto Networks firewall
If A3 is set up correctly, the users will now show up in the Palo Alto Networks firewall monitor tab Ã
traffic, â€˜Source userâ€™ column. In order to create user-based firewall policies, you will need to enable the firewall to connect to the domain using LDAP and set up WMI authentication. You can set up the firewall according to the documentation which can be found here:https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/user-id/enable-user-id