Enable Data Redistribution on Cloud NGFW for Azure
Focus
Focus
Cloud NGFW for Azure

Enable Data Redistribution on Cloud NGFW for Azure

Table of Contents

Enable Data Redistribution on Cloud NGFW for Azure

Learn how to enable User-ID on the Cloud NGFW for Azure.
Cloud NGFW protects your Azure vNet and Azure virtual WAN traffic with advanced user awareness. The user identity, as opposed to an IP address, is an integral component of an effective security infrastructure. Knowing who is accessing each of the applications on your network, and who may have transmitted a threat or is transferring files, can strengthen security policies and reduce incident response times. User-ID™, a standard feature on the Palo Alto Networks firewalls, enables you to leverage user information stored in a wide range of repositories. To learn more about User-ID concepts, User-ID overview.
To enforce policy from User-ID or Groups:
  • Firewall must be able to map the IP addresses to the user names.
  • User-ID provides various mechanisms for collecting the user mapping information. To learn more, see User-ID Concepts.
If the mapping methods are unable to capture the mapping, then you can configure the Authentication Policy to redirect users to an Authentication portal login. Users can provide credentials which will be checked against the identity provider and enforce access accordingly. Learn more about authentication policy.
To enable a Users—and group-based policy, the firewall requires a list of all available users and their corresponding group memberships.
You can enable User-ID on Cloud NGFW for Azure using the following methods:

Enable User-ID with PAN-OS Integrated Agent

Prerequisites:
  1. Import Root Certificate.
    In Panorama, go to Device > Certificate Management > Certificates, import the root certificate.
  2. Add Certificate Profile.
    1. In Panorama, go to Device > Certificate Management > Certificates.
    2. Create a profile using the imported certificate.
  3. Add Certificate Profile to User-ID Connection Security.
    1. In Panorama, go to Device > User Identification > User Mapping.
    2. Edit User-ID Connection Security and assign the certificate profile.
  4. Configure Server Monitor Account.
    1. In Panorama, go to Device > User Identification > User Mapping.
    2. Provide the service account username/password for active directory.
  5. Configure Server Monitoring (WinRM-HTTPS).
    1. In Panorama, go to Device > User Identification > User Mapping > Server Monitoring.
    2. Select Microsoft Active Directory as type, WinRM-HTTPS as transport protocol, and Network Address as your Windows server address where you have an active directory configured.
    The Cloud NGFW for Azure supports IP-to-user mapping using the Windows User-ID agent or Terminal Server Agent.
  6. Enable User-ID on Cloud NGFW Interfaces.
    As a best practice, always specify which networks to include and exclude from User-ID. This allows you to ensure that only your trusted assets are probed and that unwanted user mappings are not created unexpectedly.
    1. Select Netw`ork > Zones and select Zone where you're configuring User-ID.
    2. Add your networks to Include and Exclude lists as needed.
    3. Click OK.
    On your Cloud NGFW device group, enable User-ID for both Private and Public zones.
  7. Configure Service Route to LDAP Server.
    1. In Panorama, go to Device > Setup > Services > Service Route Configuration.
    2. Select LDAP as Service, loopback.3 as Source interface, and active directory IP address as Source address.
    3. Commit your changes.
  8. Configure LDAP Server Profile.
    1. In Panorama, go to Device > Server Profiles > LDAP, add LDAP profile.
    2. Use Base DN and Bind DN from AD (get via ADSI Edit).
    3. Provide Bind DN password.
  9. Configure Group Mapping.
    1. In Panorama, go to Device > User Identification > Group Mapping.
    2. Add using the created LDAP profile.
  10. Configure User-ID Master Device.
    In the Cloud NGFW device group, select the User-ID Master Device (choose one backend instance).
  11. Commit your changes.

Enable User-ID with Windows-based User-ID Agent

Prerequisites:
  1. Enable User-ID on Cloud NGFW Interfaces.
    1. In Panorama, go to Network > Zones and select the Zone where you're configuring User-ID.
    2. Add your networks to Include and Exclude lists as needed.
    3. Click OK.
      On your Cloud NGFW device group, enable User-ID for both Private and Public zones.
  2. Configure User-ID Agent as Data Redistribution Agent.
    In Panorama, go to Device > Data distribution. Configure your User-ID Agent as data redistribution agent.
  3. Configure Service Route for User-ID Agent.
    1. Go to Setup > Services > Service Route Configuration.
    2. Configure with source interface as loopback.3.
    3. Add Firewall policy to allow communication towards User-ID Agent windows server.
  4. Verify User-ID Agent Configuration.
    1. On the Windows server, click Edit to open User-ID Agent.
    2. Add service account username and password.
      Ensure that you have the appropriate User-ID service port (5007 by default) configured.
    3. Configure the discovery of your active directory domain (Auto-Discover if on the same server). If you have an active directory within the same server where you have User-ID Agent installed, you can use the Auto Discover option.
    4. Commit your changes.
    You will be able to see the Agent status as running and the connected servers. Ensure that you disable Windows firewall on this windows server to allow communication from CNGFW to this UID Agent.
  5. Configure LDAP Server Profile.
  6. Configure Group Mapping.
  7. Enable User-ID Master device.
  8. Commit your changes.

Enable User-ID with Cloud Identity Engine (CIE)

Prerequisites:
  • Active Directory (AD) environment with users and groups.
  • Cloud NGFW for Azure deployed and managed via Panorama.
  • Security Policy on Cloud NGFW to allow communication with LDAP/Windows server with Active directory.
  • CIE deployed and connected to your active directory environment.
  1. Deploy Cloud Identity Engine.
    For more information, see installing, deploying CIE, and authenticating CIE documentation. After a successful authentication of Agent with Cloud Identity Engine, the agent status will be online on Cloud Identity Engine
  2. Configure Cloud Identity Engine on Panorama and group mapping.
    CIE for User-ID on firewalls, in Panorama, go to Device > User Redistribution, and add a CIE instance
    For Panorama to learn Group mappings through CIE, configure CIE on the Panorama tab as shown below.
    The Panorama will now learn these new Group Mappings.
  3. Configure Group Mapping.
    1. For User-ID on firewalls, go to Device > User Redistribution.
    2. To configure on Panorama, go to Cloud Identity Engine tab
  4. Enable & Add CIE in Device Group.
    In the Cloud NGFW device group, enable and add the CIE instance.
    Enable and add Cloud Identity Engine.

Enable User-ID Redistribution with Panorama

Prerequisites:
  1. Configure User-ID Redistribution Agent on Panorama.
    In Panorama, go to Data Redistribution > Add.
    In Add a Redistribution agent window, configure VM Seriesas the User-ID redistribution Agent on panorama.
  2. Configure User-ID Redistribution Agent on Cloud NGFW Device Group.
    In Panorama, go to Device > Data Redistribution, and add a Data Redistribution Agent.
  3. Enable User-ID on Cloud NGFW on Cloud NGFW network interfaces.
    You can override Private and Public zones and enable User-ID.
  4. Commit the configuration and verify Data Redistribution from panorama.
    On Panorama commit and push the configuration.
    Check for Cloud NGFW managed devices and take a note of the serial numbers.
  5. Configure LDAP Server Profile.
  6. Configure Group Mapping.
  7. Enable User-ID Master device.
  8. Commit your changes.

Define Firewall Policies Based on User Groups

In Panorama, go to Policies > Security.
Create rules using the Source User field to define access based on active directory user groups. You can now monitor the traffic based on usernames instead of just IP addresses.

Limitations

  • Cloud NGFW can act as a redistribution Client, but not as a redistribution agent.
  • Authentication and Authorization policy is not supported.
  • The XML-API method for User-ID mapping is not supported.