Prisma Access
Panorama
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Panorama
Panorama
The Cloud Identity Engine provides both user
identification and user authentication for mobile users in a Prisma Access—GlobalProtect
deployment. Using the Cloud Identity Engine for user authentication and username-to-user
group mapping allows you to write security policy based on users and groups, not IP
addresses, and helps secure your assets by enforcing behavior-based security actions. By
continually syncing the information from your directories, the Cloud Identity Engine
ensures that your user information is accurate and up to date and policy enforcement
continues based on the mappings even if the SAML identity provider (IdP) is temporarily
unavailable.
GlobalProtect Mobile Users
Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to
authenticate Prisma Access mobile users in a Mobile Users—GlobalProtect deployment.
This functionality is only available for Panorama Managed Prisma Access 3.0
Innovation and later Innovation deployments.
The Cloud Identity Engine has two components to provide authentication and
enforcement of user- and group-based policy:
- TheCloud Authentication Servicecomponent allows you to authenticate mobile users in a Prisma Access—GlobalProtect deployment. You configure a SAML identity IdP during configuration of the Cloud Identity Engine to use with the Cloud Authentication Service.
- TheDirectory Synccomponent provides username-to-user group mapping for the authenticated user. You can use this mapping to enforce user- and group-based policy in Prisma Access.
To configure the Cloud Authentication Service to authenticate GlobalProtect mobile
users, you must have the following minimum required product and software versions:
- A minimum Prisma Access version of 3.0 Innovation or a later Innovation version, which requires a dataplane version of 10.1.To verify your dataplane version, selectand view thePanoramaCloud ServicesConfigurationService SetupCurrent Dataplane versionin theDataPlane PAN-OS versionarea.If your dataplane is running 10.1, you are running the Prisma Access 3.0 Innovation or later Innovation release and can use the Cloud Identity Engine to authenticate GlobalProtect mobile users. If your dataplane is running 10.0, you are running a Prisma Access Preferred release and you cannot authenticate mobile users with the Cloud Identity Engine.
- A minimum GlobalProtect app version of 6.0.
- A SAML IdP provider that is supported with the Cloud Identity Engine.Prisma Access supports all IdP providers that are supported by the Cloud Identity Engine, including Azure, Okta, PingOne, PingFederate, and Google.
- A minimum Panorama version of 10.1.
To configure authentication for a mobile users using the Cloud Authentication Engine,
complete the following steps.
- Install the device certificate on the Panorama that manages Prisma Access.You must generate a one-time password (OTP) and retrieve the device certificate to successfully authenticate Panorama with the Cloud Identity Engine.
- Log into the Customer Support Portal to generate the One Time Password (OTP).
- SelectandAssetsDevice CertificatesGenerate OTP.
- For theDevice Type, selectGenerate OTP for PanoramaandGenerate OTP.
- Select thePanorama Deviceserial number.
- Generate OTP and copy the OTP.and copy the OTP.
- From the Panorama that manages Prisma Access, selectandPanoramaSetupManagementDevice Certificate SettingsGet certificate.When you have successfully installed the certificate, theCurrent Device Certificate Status() displays asPanoramaSetupManagementDevice CertificateValid.
- Activate the Cloud Identity Engine if you have not yet done so to create your first instance.
- Log in to the hub.
- Activatethe Cloud Identity Engine.If the Activate button is not available, ensure that your role has the necessary privileges.
- Enter the information for your Cloud Identity Engine instance.
- Select theCompany Accountfor the instance.
- Specify aNameto identify the instance.
- (Optional) Enter aDescriptionto provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
- Select aRegion.Make a note of the region you selected; you use that region when you activate the Cloud Identity Engine in a later step.
- Agree to theEULA.
- Agree & Activatethe instance.
- On the Activation Details page, select the hub in the upper left.
- TheCloud Identity Enginedisplays.
- (Optional) If you require a separate instance for Explicit Proxy, configure a Cloud Identity Engine Instance.If you want to isolate your Explicit Proxy directory data, or allow different Palo Alto Networks cloud applications and services to access different sets of directory data, you can create a Cloud Identity Engine instance specifically for Explicit Proxy.When you select aRegion, select the same region you used when you activated the Cloud Identity Engine.
- From the Cloud Identity Engine app, configure a SAML IdP in the Cloud Identity Engine.The Cloud Identity Engine Getting Started guide has the procedures you need to configure a SAML IdP in the Cloud Identity Engine:Use the following values in the when configuring Explicit Proxy authentication in your IdP:
- Single sign on URL:global.acs.prismaaccess.com
- SAML Assertion Consumer Service URL:https://global.acs.prismaaccess.com/saml/acs
- Entity ID URL:https://global.acs.prismaaccess.com/saml/metadata
- Configure an authentication profile to use with the Cloud Authentication Service.Be sure that you are in theMobile_User_Template. By setting up an authentication profile in Panorama, you can redirect GlobalProtect mobile users to the IdP you configure for authentication.
- Change the pre-deployed settings on mobile users’ Windows, macOS, Linux, Android, and iOS endpoints to use the default system browser for SAML authentication.You must set the pre-deployed settings on the client endpoints before you can enable the default system browser for SAML authentication. GlobalProtect retrieves these entries only once, when the GlobalProtect app initializes.If there is no pre-deployed value specified on the end users’ Windows or macOS endpoints when using the default system browser for SAML authentication, theUse Default Browser for SAML Authenticationoption is set toYesin the portal configuration, and users upgrade the app from release 5.0.x or release 5.1.x to release 5.2.0 for the first time, the app will open an embedded browser instead of the default system browser. After users connect to the GlobalProtect app and theUse Default Browser for SAML Authenticationoption is set toYesin the portal configuration, the app will open the default system browser on Windows and macOS endpoints at the next login.If thedefault browservalue is set toYesin the pre-deployed setting of the client machine and theUse Default Browser for SAML Authenticationoption is set toNoin the portal configuration, end users will not have the best user experience. The app will open the default system browser for SAML authentication for the first time. Because the default browser values differ between the client machine and the portal, the app detects a mismatch and opens an embedded browser at the next login.TheUse Default Browser for SAML Authenticationoption of the GlobalProtect portal and the pre-deployed settings in the client machine must have the same value to provide the best user experience.
- On Windows endpoints, you can use the System Center Configuration Manager (SCCM) to pre-deploy the GlobalProtect app 5.2 and set theDEFAULTBROWSERvalue toyesfrom the Windows Installer (Msiexec) using the following syntax:msiexec.exe /i GlobalProtect.msi DEFAULTBROWSER=YESOn macOS endpoints, set thedefault-browservalue toyesin the macOS plist (/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist) for the GlobalProtect app using the following syntax:sudo defaults write /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist ’{"Palo Alto Networks" ={GlobalProtect={Settings={default-browser=yes;};};};}’You must specify the plist key to launch the default system browser for SAML authentication after GlobalProtect app 5.2 is installed.After you add the plist key, you must restart the GlobalProtect app in order for the plist key to take effect. After you restart the GlobalProtect app, the default system browser for SAML authentication launches. To restart the GlobalProtect app:
- Launch the Finder.
- Open the Applications folder by selectingApplicationsfrom the Finder sidebar.If you do not seeApplicationsin the Finder sidebar, selectfrom the Finder menu bar.GoApplications
- Open the Utilities folder.
- Launch Terminal.
- Execute the following commands:username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
On Linux endpoints, set thedefault-browservalue toyesin the/opt/paloaltonetworks/globalprotect/pangps.xmlpre-deployment configuration file under<Settings>. After you add thedefault-browservalue, follow the pre-deployment instructionsbefore you reboot the Linux endpoint in order for the change to take effect.On Android and iOS endpoints, create a VPN profile by using the supported mobile device management system (MDM) such as Airwatch.- Log in to Airwatch as an administrator.
- Select an existing VPN profile () in the list.DevicesProfiles & ResourcesProfiles
- SelectVPNto add a VPN profile.On Android endpoints, enter theCustom Data Key(use_default_browser_for_saml). Enter theCustom Data Value(true).On iOS endpoints, enter theCustom Data Key(saml-use-default-browser). Enter theCustom Data Value(true).
- ClickSave and Publishto save your changes.
Configure the Prisma Access portal to use Cloud Identity Engine authentication.- In theMobile_User_Template, select.NetworkGlobalProtectPortalsGlobalProtect_PortalAuthentication
- Select theDefaultGlobalProtect portal configuration.
- Select theAuthentication Profileyou created for Cloud Identity Engine authentication and clickOK.
- SelectAgent, then select theDefaultagent.
- (Optional) If you have on-premises GlobalProtect gateways and want the Prisma Access gateway to generate a cookie to override authentication for on-premises gateways, selectGenerate cookie for authentication override.
- (Optional) If you want Prisma Access to accept cookies from on-premises gateways that allows them to override authentication for Prisma Access, selectAccept cookie for authentication override.
- ClickOK.
- In theAppsettings, make sure thatUse Default Browser for SAML Authenticationis set toYes.Selecting this portal setting ensures that mobile users can leverage the same login for GlobalProtect with their saved user credentials on the default system browser such as Chrome, Firefox, or Safari.
- ClickOK.
Configure the Prisma Access gateway to use Cloud Identity Engine authentication.- In theMobile_User_Template, select.NetworkGlobalProtectGatewaysGlobalProtect_External_Gateway
- SelectAuthentication.
- Select theDefaultauthentication profile.
- Select theAuthentication Profileyou created for Cloud Identity Engine authentication and clickOK.
- Select, then select theAgentClient SettingsDefaultconfiguration.
- (Optional) SelectGenerate cookie for authentication overrideandAccept cookie for authentication override.When you use the Cloud Identity Engine for authentication, Palo Alto Networks recommends that you allow authentication cookie overrides on gateways, since you have already configured authentication on the portal. If you do not configure cookie overrides on the gateway, two authentication pages display on the mobile user’s default browser when they log in to a gateway—one page for portal authentication and one page for gateway authentication.
- ClickOK.
Complete the Cloud Identity Engine configuration in Panorama.- SelectandPanoramaSetupManagementEdittheAuthentication Settings, then select theAuthentication Profileyou created in Step 5.
- SelectandPanoramaDevice GroupsAddorEdita device group.
- Select theCloud Identity EngineandAddthe Cloud Identity Engine instance you want to associate with Panorama; then, clickOK.
Commit and Pushyour changes.Verify that the Cloud Identity Engine is successfully authenticating your mobile users.- On a mobile user endpoint, open the GlobalProtect app (minimum GlobalProtect version of 6.0 required).
- If prompted,Get Started.
- Enter thePortalURL in the app andConnectto it.
- When you are challenged for authentication, verify that you are redirected to the SAML IdP and are presented with a login page.After you successfully authenticate to the SAML IdP, it redirects you to Prisma Access. Prisma Access then validates the SAML responses from the SAML IdP and the mobile user is able to log in to the GlobalProtect portal.
- Enter your credentials to log in.
- After you have successfully logged in,Open GlobalProtectin the browser or, if you are provided with a URL,Click Hereto open the GlobalProtect app.
- If your system browser prompts you to allow opening GlobalProtect in the browser,Allowit.
- Verify that you receive a banner from the GlobalProtect app, indicating that you areConnectedto GlobalProtect and showing the GlobalProtectPortalandGateway.
- (Optional) To see more information about the GlobalProtect connection, selectSettingsfrom the GlobalProtect app.From this area, you can see the user that is logged in, view connection statistics and notifications, and download GlobalProtect logs forTroubleshooting.
Explicit Proxy Mobile Users
Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to
authenticate Prisma Access mobile users in a Mobile Users—Explicit Proxy deployment.
To configure the Cloud Authentication Service to authenticate Explicit Proxy mobile
users, you must have the following minimum required product and software versions:
- A minimum Prisma Access version of 3.2 (either Preferred or Innovation).
- A minimum Panorama version of 10.1.3.
- A minimum dataplane version of 10.1.3.To verify your dataplane version, selectand view thePanoramaCloud ServicesConfigurationService SetupCurrent Dataplane versionin theDataPlane PAN-OS versionarea. If your dataplane version is lower than 10.1.3, reach out to your Palo Alto Networks account representative and submit a request.
- A SAML IdP provider that is supported with the Cloud Identity Engine.All IdP providers that are supported by the Cloud Identity Engine are supported, including Azure, Okta, PingOne, PingFederate, and Google.
To configure authentication for a Mobile Users—Explicit Proxy deployment using the
Cloud Identity Engine, complete the following steps.
- From the Panorama that manages Prisma Access, set up and configure a Mobile Users—Explicit Proxy deployment.Before you configure Explicit Proxy guidelines, be aware of how explicit proxy works and how explicit proxy identifies users, go through the planning checklist, and learn how to set up the Explicit Proxy PAC file.
- From the Panorama that manages Prisma Access, install the Panorama device certificate.You must generate a one-time password (OTP) and retrieve the device certificate to successfully authenticate Panorama with the Cloud Identity Engine.
- Log into the Customer Support Portal to generate the One Time Password (OTP).
- SelectandAssetsDevice CertificatesGenerate OTP.
- For theDevice Type, selectGenerate OTP for PanoramaandGenerate OTP.
- Select thePanorama Deviceserial number.
- Generate OTPandCopy to Clipboard.
- From the Panorama that manages Prisma Access, selectandPanoramaSetupManagementDevice Certificate SettingsGet certificate.When you have successfully installed the certificate, theCurrent Device Certificate Status() displays asPanoramaSetupManagementDevice CertificateValid.
- From the hub, activate the Cloud Identity Engine if you have not yet done so to create your first instance.
- Log in to the hub.
- Activatethe Cloud Identity Engine.If the Activate button is not available, ensure that your role has the necessary privileges.
- Enter the information for your Cloud Identity Engine instance.
- Select theCompany Accountfor the instance.
- Specify anNameto identify the instance.
- (Optional) Enter aDescriptionto provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
- Select aRegion.Make a note of the region; you specify the same region when you create an authentication profile in Panorama.
- Agree to theEULA.
- Agree & Activatethe instance.
- On the Activation Details page, select the hub in the upper left.
- TheCloud Identity Enginedisplays.
- (Optional) If you require a separate instance for Explicit Proxy, configure a Cloud Identity Engine Instance.If you want to isolate your Explicit Proxy directory data, or allow different Palo Alto Networks cloud applications and services to access different sets of directory data, you can create a Cloud Identity Engine instance specifically for Explicit Proxy.
- Log in to the hub.
- Click the gear in the upper right corner of the page to manage the settings; then, selectManage Appsand clickAdd Instance.
- Configure the instance.
- Select theCompany Accountfor the instance.
- Specify anNameto identify the instance.
- (Optional) Enter aDescriptionto provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
- Select aRegion.Make a note of the region; you specify the same region when you create an authentication profile in Panorama.
- Agree to theEULA.
- Agree & Activatethe instance.
- From the Cloud Identity Engine app, configure a SAML 2.0 IdP in the Cloud Identity Engine.The Cloud Identity Engine Getting Started guide has the procedures you need to configure a SAML IdP in the Cloud Identity Engine:Do not configure single logout, it is not supported. .
- Set up an authentication profile in the Cloud Identity Engine and select the users and groups that can use this authentication method.You specify this profile when you create an authentication profile in Panorama in a later step.
- Return to the Panorama that manages Prisma Access and configure an authentication profile to use with the Cloud Authentication Engine.
- SelectandDeviceAuthentication ProfileAddan authentication profile.Be sure that you are in theExplicit_Proxy_Template.
- Enter aNamefor the Authentication profile.
- SelectCloud Authentication Serviceas theType.
- Select theRegionof your Cloud Identity Engine instance.Specify the same region you used when you created your Cloud Authentication Engine instance.
- Select the Cloud Identity EngineInstanceto use for this Authentication profile.
- Select an authenticationProfilethat specifies the authentication type you want to use to authenticate users.Specify the authentication profile you created in the Cloud Identity Engine.
- Specify theMaximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
- (Optional) If the profile you selected has multi-factor authentication (MFA) enabled, selectForce multi-factor authentication in cloud.Selecting this option means that the IdP (for example, Okta) specified by the profile is responsible for performing MFA. If you select this check box and incorrect MFA information is received from the Cloud Identity Engine, authentication fails.
- ClickOK.
- Allow the necessary authentication traffic to be passed to Explicit Proxy.
- Create a URL list as a custom URL category to allow the necessary traffic for the Cloud Identity Engine.
- Add the following Cloud Identity Engine URLs to the URL category.If you do not need to strictly limit traffic to your region, you can enter*.apps.paloaltonetworks.com. Otherwise, determine your region-based URL using theshow cloud-auth-service-regionscommand in the Cloud Identity Engine to display the URLs for the region associated with your Cloud Identity Engine instance and enter each region-based URL. The following table includes the URLs for each region:RegionCloud Identity Engine Region-Based URLUnited Statescloud-auth.us.apps.paloaltonetworks.comcloud-auth-service.us.apps.paloaltonetworks.comEuropecloud-auth.nl.apps.paloaltonetworks.comcloud-auth-service.nl.apps.paloaltonetworks.comUnited Kingdomcloud-auth.uk.apps.paloaltonetworks.comcloud-auth-service.uk.apps.paloaltonetworks.comSingaporecloud-auth.sg.apps.paloaltonetworks.comcloud-auth-service.sg.apps.paloaltonetworks.comCanadacloud-auth.ca.apps.paloaltonetworks.comcloud-auth-service.ca.apps.paloaltonetworks.comJapancloud-auth.jp.apps.paloaltonetworks.comcloud-auth-service.jp.apps.paloaltonetworks.comAustraliacloud-auth.au.apps.paloaltonetworks.comcloud-auth-service.au.apps.paloaltonetworks.comGermanycloud-auth.de.apps.paloaltonetworks.comcloud-auth-service.de.apps.paloaltonetworks.comUnited States - Governmentcloud-auth-service.gov.apps.paloaltonetworks.comcloud-auth.gov.apps.paloaltonetworks.comIndiacloud-auth-service.in.apps.paloaltonetworks.comcloud-auth.in.apps.paloaltonetworks.com
- Enter the URLs that your IdP requires for user authentication (for example,*.okta.com) in the custom URL category.
- Create a security policy rule to allow traffic to the authentication type and Cloud Identity Engine and select the custom URL category as the match criteria.
- Specify the authentication profile for Explicit Proxy.
- Select.PanoramaCloud ServicesConfigurationMobile Users—Explicit Proxy
- Select theConnection Name.
- Specify the Cloud Identity EngineAuthentication Profile.
- Commit and Pushyour changes.
- Verify that the Cloud Identity Engine is successfully authenticating your Explicit Proxy mobile users.
- From the Panorama that manages Prisma Access, select.MonitorLogsAuthentication
- View theEventstatus.If the authentication fails, view theDescriptionfor more details about the failure.
- From the mobile user’s endpoint, use dev tools to view the Cloud Identity Engine authentication flow.