Showing posts with label palo alto duo. Show all posts
Showing posts with label palo alto duo. Show all posts

Wednesday, March 25, 2020

Palo Alto Networks - GlobalProtect - Part IV

ATTENTION: Please visit the Palo Alto Networks Live site for the latest version of this post.

----------------------------------------------------------------------------------------------------------------

In my previous post, we covered security policy matching based on user identity and device context provided via the GlobalProtect app. We also enabled notifications to the end user based on compliance of the endpoint. In this post, we are going to configure Authentication Policy with MFA to provide elevated access for both HTTP and non-HTTP traffic to specific sensitive resources. You can see a diagram of the environment here.

The value in leveraging Authentication Policy with MFA is to ensure that regardless of whether or not a user is known and the device is compliant, they must authenticate with multiple factors to validate their identity prior to accessing a specific resource. This helps prevent lateral movement by malicious attackers that are persisting internally via a compromised machine or with phished credentials.

Note - This post assumes the following:
  • You have already followed the previous posts in this series.
  • You have DUO MFA configured
Although this capability can be configured without GlobalProtect for HTTP applications, we are going to focus on non-HTTP applications to highlight the GlobalProtect app's role in the authentication prompt process.

Part IV - Authentication Policy with MFA
  • Navigate to Device -> Certificate Management -> SSL/TLS Service Profile -> Add to create a profile that references the root CA created previously
  • Navigate to Device -> Authentication Profile -> Add to create a new profile that consists of the LDAP and DUO Server Profiles that were previously created
    • On the Authentication tab
      • Enter a Name
      • Set the Type to LDAP
      • Set the Server Profile to LDAP
      • Enter a Login Attribute  of sAMAccountName
      • Set the User Domain to your domain
    • On the Factors tab
      • Check the Enable Additional Authentication Factors check box
      • Add the Multi Factor Authentication Server Profile that was previously created as part of your DUO setup
    • On the Advanced tab, select the user group previously created to add to the Allow List
    • Click OK
  • Navigate to Device -> User Identification -> Captive Portal and click on the gear icon
    • Check the Enable Captive Portal check box
    • Select the SSL/TLS Service Profile and Authentication Profile that were previously created
    • Set the Mode to Redirect
    • Set the Redirect Host to an IP address of an interface on the firewall
      • In my case, its the IP address of my trust interface
    • Click OK
  • Navigate to Network -> GlobalProtect -> Portals -> select the previously configured portal -> Agent -> select the previously configured config -> App -> and change the following App Configurations parameters
    • Set Connect Method to User-logon (Always On)
    • Set Show System Tray Notifications to Yes
    • Set Enable Inbound Authentication Prompts from MFA Prompts (UDP) to Yes
    • Set Trusted MFA Gateways to the IP address referenced in your Captive Portal along with port 6082.
      • In my case its 192.168.1.254:6082
    • Click OK
  • Navigate to Objects -> Authentication -> Add to create a new Authentication Enforcement
    • Enter a Name
    • Set the Authentication Method to web-form
    • Set the Authentication Profile to the MFA profile that was previously created
    • Click OK
  • Navigate to Policies -> Authentication -> Add to create an authentication rule
    • Note - If you need a resource for testing, there are plenty of test SSH servers available publicly. In the example below, that is what I am using. 
    • As shown below, any user from the trust or gp zone that is destined to a specific server in the untrust zone will be prompted to authenticate, regardless of whether they are a verified user or not.
  • Commit the configuration
  • Lastly, when testing with a Windows client, make sure that the host firewall is allowing UDP port 4501 inbound.
You should now be able to test access to the resource. Here is the general workflow that you can follow:
  • Ensure that the GlobalProtect app is connected to either your external or internal gateway
  • From operational mode in the CLI, run the show user ip-user-mapping all type CP to show authenticated users
    • It should show 0 users
  • Attempt to access the resource referenced in the Authentication Policy rule, and you will see a prompt requiring you to authenticate
  • Upon authenticating via the factors you defined, you should be able to access the resource, as well as run the same show user ip-user-mapping all type CP and see your user account
Posted by at No comments:
Labels: , , , , , , , , ,

Saturday, March 21, 2020

Palo Alto Networks - Duo Integration via RADIUS

Duo can be integrated with Palo Alto Networks in a variety of ways. In this post, we are going to be looking at RADIUS integration, specifically. This would allow administrators to add additional factors of authentication for mobile users connecting to specific GlobalProtect gateways, for example.

Note - This post assumes that you have an active Duo account, along with a domain controller running at least Windows Server 2012 R2 or later. There is a great Duo tutorial that covers this configuration, but I thought I would include the specific steps I followed in this post.

From the Duo interface:
  • Navigate to Users to add a user name that matches a user in Active Directory
    • Select Add Phone to add your mobile phone as a 2FA device
      • You should then be able to send an activation link to the device
  • Navigate to Applications -> Protect an Application -> search for Palo Alto SSL VPN -> Protect
From the Windows server:
  • Download the latest Duo Authentication Proxy here and install it as a user with administrative rights
  • Navigate to C:\Program Files (x86)\Duo Security Authentication Proxy\conf and edit the authproxy file using Wordpad (Notepad is discouraged)
  • Delete all the contents of the file, and replace it with the following data:
[ad_client]
host=(enter the IP address of the server)
service_account_username=(enter the service account username)
service_account_password=(enter the service account password)
search_dn=DC=mydomain,DC=local
[radius_server_auto]
ikey=(enter the Integration Key found in the Palo Alto SSL VPN application in Duo)
skey=(enter the Secret Key found in the Palo Alto SSL VPN application in Duo)
api_host=(enter the API Hostname found in the Palo Alto SSL VPN application in Duo)
radius_ip_1=(enter the IP address of the trust interface of the firewall)
radius_secret_1=(enter a shared secret of your choice)
client=ad_client
port=1812
failmode=safe
From the firewall interface:
  • Navigate to Device -> Server Profiles -> RADIUS -> Add
    • Enter a Profile Name
    • Set the Timeout (sec) to 60
    • Set the Authentication Protocol to PAP
    • Add a Server
      • Enter a Name
      • Enter a RADIUS Server
        • This should be IP address of the AD server
      • Enter the same Secret that was created in the authproxy file for radius_ip_1
    • Click OK
  • Navigate to Device -> Authentication Profile -> Add
    • Enter a Name
    • Set the Type to RADIUS
    • Set the Server Profile to the RADIUS profile that was previously created
    • Set the User Domain to your domain
    • Navigate to the Advanced tab and select the user group (where applicable)
    • Click OK
You can now test this by adding the Authentication Profile to an administrator or to a GlobalProtect configuration, like in this post.
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)