Create User-to-Data-Center Authentication Policy Rules
Authenticate users to prevent unauthorized access to data and resources in the data center, including using multi-factor authentication for access to sensitive systems and data.
Authentication Policy rules force users to prove that they are who they claim to be before they can access data center services, applications, and other resources. Authentication is especially important for protecting your most valuable assets because if an attacker steals credentials and authenticates with the firewall, the attacker may be able to access and compromise any asset in your data center.
For access to sensitive servers and for third-party user access to servers (for example, SAP development contractors accessing SAP servers in the data center), implement Multi-Factor Authentication (MFA) to prevent attackers from using stolen credentials to access those systems. An Authentication policy with MFA would have prevented a number of successful high-profile breaches over the past several years.
Before you create Authentication Policy rules (PoliciesAuthentication), you must configure Authentication Policy dependencies to tie the authentication method, the authentication type, how to access the authentication server, and the use of Captive Portal to an Authentication Policy rule that specifies who can authenticate on which servers using what services.
- Authenticate employee user groups and individuals
that have legitimate business reasons to use data center servers.This rule show how to authenticate user groups so that they can access services required for their business activities on the necessary servers. For example, engineers need to authenticate before they can access development servers and applications.To create this rule:
Another authentication use case is when a group requires access to a particular set of services. For example, Finance Department users need access to sensitive Payment Card Information (PCI) using particular services and should authenticate before being granted access. To authenticate users for those services, this rule uses a custom Service Group (ObjectsService Groups) that includes only services for which the firewall should authenticate Finance users.To create this rule:
- Specify the engineering user groups that need to authenticate before they can access engineering servers in the data center, in this example, pantac2012\apiusers and pantac2012\engg.
- Apply authentication for these user groups to data center development server access requests by creating a dynamic address group (Dev-Servers) for them and setting it as the Destination Address.
- Apply the Authentication rule to the services engineering groups need to use for business purposes, in this example Perforce, rdp, service-http, service-https, and ssh (developers may need to use SSH and RDP to access Linux servers and should authenticate before being allowed to access those servers). The services in your authentication rules depend on the services that the groups need to use.
- Configure an Authentication Enforcement Object (Auth-Dev-Servers) that specifies the authentication method and the Authentication Profile and add it to the rule.
- Log activity so that you can track and analyze rule violations, which may indicate an attempted attack.
- Specify the user groups that need to authenticate before they can access finance servers in the data center, in this example, pantac2012\accounting-users and pantac2012\finance-users.
- Apply authentication for these user groups to data center finance server access requests by creating a dynamic address group (Finance-DC-Infra) for them and setting it as the Destination Address.
- Apply the authentication rule to the services that Finance users need to use for business purposes, in this example service-http, service-https, and the services defined in the custom service group Custom-Finance-Srvrs-Services, so that users must authenticate before they can access these services.
- Configure an Authentication Enforcement Object (Auth-Finance-Servers) that specifies the authentication method and the Authentication Profile and add it to the rule.
- Log activity so that you can track and analyze rule violations, which may indicate an attempted attack.
- Authenticate contractors, partners, customers, and other
non-employee groups that require data center access.This rule requires MFA for third-party user groups such as contractors, partners, and customers because you have less control over the business and security practices of their companies and personnel than you do over your employees. Requiring these users to authenticate with at least two factors protects your data center against credential theft at a third-party company.To create this rule:
- Specify the contractor user groups that need to authenticate before they can access SAP servers, in this example, the pantac\sap-contractors group.
- Apply authentication for these users to the SAP database servers by creating a dynamic address group (SAP DB Server) for them and setting it as the Destination Address.
- Apply the Authentication rule to the services SAP contractors need to use for business purposes. Create a custom service group (Sap-Services) to define the ports on which SAP contractors can authenticate and add other necessary services, in this example, service-http and service-https.
- Configure an Authentication Enforcement Object (Auth-SAP-Servers) that specifies the authentication method and the Authentication Profile and add it to the rule. In this case, the authentication type must be one that supports MFA, and you must Add an MFA server profile to the Authentication Profile (Factors tab) and perform the rest of the steps to configure MFA.Configure MFA to authenticate all users and user groups that access sensitive systems to protect against attackers with stolen credentials.
- Authenticate users who need specialized access, such
as IT personnel who need secured access to data center servers for
management and maintenance.This rule shows you how to configure authentication for users who have privileged accounts, which grant administrative access to critical systems. Because compromising the credentials of a privileged user hands an attacker the keys to your data center kingdom and its valuable assets, you need to protect against stolen credentials by requiring at least two factors of authentication to ensure that only legitimate users are granted access. This example shows how to authenticate the right IT users for access to data center server management interfaces.To create this rule:
IT personnel also manage switches, routers, and other devices in the data center. If the same group of IT users manages those resources, you can add them to the destination zone and address so that the rule authenticates IT superusers before they can access the management interfaces of those devices. If different IT user groups manage different sets of data center resources, create separate, tight security policy rules and corresponding authentication policy and decryption policy rules for each user group.
- Specify the privileged account users who need to authenticate before they can access data center server management interfaces, in this example, the pantac\it-superusers group.
- Apply authentication for the user group to data center management interface access requests by creating a dynamic address group (IT-Server-Management static address group) for them and setting it as the Destination Address.
- Apply the Authentication rule to the services privileged IT personnel need to use for business purposes, in this example, the custom service group Custom-IT-ports, which identifies all of the server management ports (which should be placed on the same subnet).
- Configure and apply an Authentication Enforcement Object (Auth-IT-Server-Mgmt in this example) that enforces requiring MFA (two factors) for authentication. Add an MFA server profile to the Authentication Profile (Factors tab) and perform the rest of the steps to configure MFA. Using MFA is critical because you need to be certain of the identity of each IT user who has a privileged account since they have access to device management.To further reduce the opportunity for an attacker to compromise the data center using stolen credentials or an opportune moment when a workstation is unattended but not locked, when you configure MFA, configure authentication timestamps for the authentication factors. With valuable data center assets, it’s best to prioritize securing services and applications.
- Log activity so that you can track and analyze rule violations.
Create User-to-Data-Center Application Whitelist Rules
Create whitelist rules that allow different groups of users access to only the data center applications and resources that they require for business purposes, and ...
Deploy Data Center Best Practices
If you’re already familiar with Palo Alto Networks’ platform, this checklist streamlines deploying security best practices in your data center to safeguard your most valuable ...
Configure Authentication Policy
Configure Authentication Policy Perform the following steps to configure Authentication policy for end users who access services through Captive Portal. Before starting, ensure that your ...
Configure Multi-Factor Authentication
Configure Multi-Factor Authentication To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for ...
Create User-to-Data-Center Decryption Policy Rules
Create rules that decrypt user traffic flowing to the data center so you can inspect the traffic and protect your most valuable assets against malware ...
Building Blocks of an Authentication Policy Rule
Building Blocks of an Authentication Policy Rule Whenever a user requests a resource (such as when visiting a web page), the firewall evaluates Authentication policy. ...
How to Assess Your Data Center
Discover, list, and evaluate your data center assets to understand which assets to protect first and who should have access to those assets. ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
Create Intra-Data-Center Application Whitelist Rules
Create whitelist rules that allow servers in different data center server tiers to communicate so that they can provide application services, while preventing unnecessary communication ...