Configure Authentication for a WildFire Appliance
Focus
Focus
Panorama

Configure Authentication for a WildFire Appliance

Table of Contents

Configure Authentication for a WildFire Appliance

Configure an administrative user, RADIUS, TACAS+, or LDAP authentication for a WildFire appliance.
Create and configure enhanced authentication for your WildFire appliance by configuring local administrative users with granular authentication parameters, as well as leveraging RADIUS, TACAS+, or LDAP for authorization and authentication.
When you Configure and push administrators from Panorama, you overwrite the existing administrators on the WildFire appliance with those you configure on Panorama.

Configure An Administrative Account for a WildFire Appliance

Create and configure admin user with granular authentication parameters for the WildFire appliance.
Create one or more administrators with granular authentication parameters for your WildFire appliance to manage from the Panorama™ management server. Additionally, you can configure local administrators from Panorama that can be configured directly on the CLI of the WildFire appliance. However, pushing new configuration changes to the WildFire appliance will overwrites local administrators with the administrators configured for the WildFire appliance.
  1. (Optional) Configure an authentication profile to define the authentication service that validates the login credentials of the administrators who access the WildFire appliance CLI.
  2. Configure one or more administrator accounts as needed.
    The administrator accounts created on Panorama are later imported to the WildFire appliance and managed from Panorama.
    You must configure the administrative account with Superuser admin role privileges to successfully configure authentication for the WildFire appliance.
  3. Configure the authentication for the WildFire appliance.
    1. Select PanoramaManaged WildFire Appliance and select the WildFire appliance you previously added.
    2. (Optional) Select the Authentication Profile you configured in the previous step.
    3. Configure the authentication Timeout Configuration for the WildFire appliance.
      1. Enter the number of Failed Attempts before a user is locked out of the WildFire appliance CLI.
      2. Enter the Lockout Time, in minutes, for which the WildFire appliance locks out a user account after that user reaches the configured number of Failed Attempts.
      3. Enter the Idle Timeout, in minutes, before the user account is automatically logged out due to inactivity.
      4. Enter the Max Session Count to set how many user accounts can simultaneously access the WildFire appliance.
      5. Enter the Max Session Time the administrator can be logged in before being automatically logged out.
    4. Add the WildFire appliance administrators.
      Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you add admin1 as both a local and Panorama administrator.
      1. Add and configure new administrators unique to the WildFire appliancer. These administrators are specific to the WildFire appliance for which they are created and you manage these administrators from this table.
      2. Add any administrators configured on Panorama. These administrators are created on Panorama and imported to the WildFire appliance.
    5. Click OK to save the WildFire appliance authentication configuration.
  4. Commit and then Commit and Push your configuration changes.
  5. Access the WildFire appliance CLI to verify you can successfully access the WildFire appliance using the local admin user.

Configure RADIUS Authentication for a WildFire Appliance

Configure RADIUS authentication for a WildFire appliance.
Use a RADIUS server to authenticate administrative access to the WildFire appliance CLI. You can also define Vendor-Specific Attributes (VSAs) on the RADIUS server to manage administrator authorization. Using VSAs enables you to quickly change the roles, access domains, and user groups of administrators through your directory service, which is often easier than reconfiguring settings on the Panorama™ management server.
You can Import the Palo Alto Networks RADIUS dictionary into RADIUS server to define the authentication attributes needed for communication between Panorama and the RADIUS server.
  1. Configure RADIUS authentication.
    Administrator accounts configured for RADIUS authentication are required to have Superuser admin role privileges to successfully configure authentication for the Wildfire appliance.
    1. Add a RADIUS server profile.
      The profile defines how the WildFire appliance connects to the RADIUS server.
      1. Select PanoramaServer ProfilesRADIUS and Add a profile.
      2. Enter a Profile Name to identify the server profile.
      3. Enter a Timeout interval in seconds after which an authentication request times out (default is 3; range is 1–20).
      4. Select the Authentication Protocol (default is CHAP) that the WildFire appliance uses to authenticate to the RADIUS server.
        Select CHAP if the RADIUS server supports that protocol; it is more secure than PAP.
      5. Add each RADIUS server and enter the following:
        1. Name to identify the server.
        2. RADIUS Server IP address or FQDN.
        3. Secret/Confirm Secret (a key to encrypt usernames and passwords).
        4. Server Port for authentication requests (default is 1812).
      6. Click OK to save the server profile.
    2. Assign the RADIUS server profile to an authentication profile.
      The authentication profile defines authentication settings that are common to a set of administrators.
      1. Select PanoramaAuthentication Profile and Add a profile.
      2. Enter a Name to identify the authentication profile.
      3. Set the Type to RADIUS.
      4. Select the Server Profile you configured.
      5. Select Retrieve user group from RADIUS to collect user group information from VSAs defined on the RADIUS server.
        Panorama matches the group information against the groups you specify in the Allow List of the authentication profile.
      6. Select Advanced and, in the Allow List, Add the administrators that are allowed to authenticate with this authentication profile.
      7. Click OK to save the authentication profile.
  2. Configure the authentication for the WildFire appliance.
    1. Select PanoramaManaged WildFire Appliance and select the WildFire appliance you previously added.
    2. Select the Authentication Profile you configured in the previous step.
      If a global authentication profile is not assigned you must assign an authentication profile to each individual local administrator to leverage remote authentication.
    3. Configure the authentication Timeout Configuration for the WildFire appliance.
      1. Enter the number of Failed Attempts before a user is locked out of the WildFire appliance CLI.
      2. Enter the Lockout Time, in minutes, for which the WildFire appliance locks out a user account after that user reaches the configured number of Failed Attempts.
      3. Enter the Idle Timeout, in minutes, before the user account is automatically logged out due to inactivity.
      4. Enter the Max Session Count to set how many user accounts can simultaneously access the WildFire appliance.
      5. Enter the Max Session Time the administrator can be logged in before being automatically logged out.
    4. Add the WildFire appliance administrators.
      Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you add admin1 as both a local and Panorama administrator.
      1. Add and configure new administrators unique to the WildFire appliance. These administrators are specific to the WildFire appliance for which they are created and you manage these administrators from this table.
      2. Add any administrators configured on Panorama. These administrators are created on Panorama and imported to the WildFire appliance.
    5. Click OK to save the WildFire appliance authentication configuration.
  3. Commit and then Commit and Push your configuration changes.
  4. Access the WildFire appliance CLI to verify you can successfully access the WildFire appliance using the local admin user.

Configure TACACS+ Authentication for a WildFire Appliance

Configure TACACS+ authentication for a WildFire appliance.
You can use a TACACS+ server to authenticate administrative access to the WildFire appliance CLI. You can also define Vendor-Specific Attributes (VSAs) on the TACACS+ server to manage administrator authorization. Using VSAs enables you to quickly change the roles, access domains, and user groups of administrators through your directory service, which is often easier than reconfiguring settings on Panorama.
  1. Configure TACACS+ authentication.
    Administrator accounts configured for TACACS+ authentication are required to have Superuser admin role privileges to successfully configure authentication for the Wildfire appliance.
    1. Add a TACACS+ server profile.
      The profile defines how the WildFire appliance connects to the TACACS+ server.
      1. Select PanoramaServer ProfilesTACACS+ and Add a profile.
      2. Enter a Profile Name to identify the server profile.
      3. Enter a Timeout interval in seconds after which an authentication request times out (default is 3; range is 1–20).
      4. Select the Authentication Protocol (default is CHAP) that Panorama uses to authenticate to the TACACS+ server.
      5. Select CHAP if the TACACS+ server supports that protocol; it is more secure than PAP.
      6. Add each TACACS+ server and enter the following:
        1. Name to identify the server.
        2. TACACS+ Server IP address or FQDN.
        3. Secret/Confirm Secret (a key to encrypt usernames and passwords).
        4. Server Port for authentication requests (default is 49).
      7. Click OK to save the server profile.
    2. Assign the TACACS+ server profile to an authentication profile.
      The authentication profile defines authentication settings that are common to a set of administrators.
      1. Select PanoramaAuthentication Profile and Add a profile.
      2. Enter a Name to identify the profile.
      3. Set the Type to TACACS+.
      4. Select the Server Profile you configured.
      5. Select Retrieve user group from TACACS+ to collect user group information from VSAs defined on the TACACS+ server.
        Panorama matches the group information against the groups you specify in the Allow List of the authentication profile.
      6. Select Advanced and, in the Allow List, Add the administrators that are allowed to authenticate with this authentication profile.
      7. Click OK to save the authentication profile.
  2. Configure the authentication for the WildFire appliance.
    1. Select PanoramaManaged WildFire Appliance and select the WildFire appliance you previously added.
    2. Select the Authentication Profile you configured in the previous step.
      If a global authentication profile is not assigned you must assign an authentication profile to each individual local administrator to leverage remote authentication.
    3. Configure the authentication Timeout Configuration for the WildFire appliance.
      1. Enter the number of Failed Attempts before a user is locked out of the WildFire appliance CLI.
      2. Enter the Lockout Time, in minutes, for which the WildFire appliance locks out a user account after that user reaches the configured number of Failed Attempts.
      3. Enter the Idle Timeout, in minutes, before the user account is automatically logged out due to inactivity.
      4. Enter the Max Session Count to set how many user accounts can simultaneously access the WildFire appliance.
      5. Enter the Max Session Time the administrator can be logged in before being automatically logged out.
    4. Add the WildFire appliance administrators.
      Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you add admin1 as both a local and Panorama administrator.
      1. Add and configure new administrators unique to the WildFire appliancer. These administrators are specific to the WildFire appliance for which they are created and you manage these administrators from this table.
      2. Add any administrators configured on Panorama. These administrators are created on Panorama and imported to the WildFire appliance.
    5. Click OK to save the WildFire appliance authentication configuration.
  3. Commit and then Commit and Push your configuration changes.
  4. Access the WildFire appliance CLI to verify you can successfully access the WildFire appliance using the local admin user.

Configure LDAP Authentication for a WildFire Appliance

Configure LDAP authentication for a WildFire appliance.
You can use LDAP to authenticate end users who access the WildFire appliance CLI.
  1. Add an LDAP server profile.
    The profile defines how the WildFire appliance connects to the LDAP server.
    Administrator accounts configured for LDAP authentication are required to have Superuser admin role privileges to successfully configure authentication for the WildFire appliance.
    1. Select PanoramaServer ProfilesLDAP and Add a server profile.
    2. Enter a Profile Name to identify the server profile.
    3. Add the LDAP servers (up to four). For each server, enter a Name (to identify the server), LDAP Server IP address or FQDN, and server Port (default 389).
      If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.
    4. Select the server Type.
    5. Select the Base DN.
      To identify the Base DN of your directory, open the Active Directory Domains and Trusts Microsoft Management Console snap-in and use the name of the top-level domain.
    6. Enter the Bind DN and Password to enable the authentication service to authenticate the firewall.
      The Bind DN account must have permission to read the LDAP directory.
    7. Enter the Bind Timeout and Search Timeout in seconds (default is 30 for both).
    8. Enter the Retry Interval in seconds (default is 60).
    9. (Optional) If you want the endpoint to use SSL or TLS for a more secure connection with the directory server, enable the option to Require SSL/TLS secured connection (enabled by default). The protocol that the endpoint uses depends on the server port:
      • 389 (default)—TLS (Specifically, the WildFire appliance uses the StartTLS operation, which upgrades the initial plaintext connection to TLS.)
      • 636—SSL
      • Any other port—The WildFire appliance first attempts to use TLS. If the directory server doesn’t support TLS, the WildFire appliance falls back to SSL.
    10. (Optional) For additional security, enable to the option to Verify Server Certificate for SSL sessions so that the endpoint verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option to Require SSL/TLS secured connection. For verification to succeed, the certificate must meet one of the following conditions:
      • It is in the list of Panorama certificates: PanoramaCertificate ManagementCertificatesDevice Certificates. If necessary, import the certificate into Panorama.
      • The certificate signer is in the list of trusted certificate authorities: PanoramaCertificate ManagementCertificates.
    11. Click OK to save the server profile.
  2. Configure the authentication for the WildFire appliance.
    1. Select PanoramaManaged WildFire Appliance and select the WildFire appliance you previously added.
    2. Configure the authentication Timeout Configuration for the WildFire appliance.
      1. Enter the number of Failed Attempts before a user is locked out of the WildFire appliance CLI.
      2. Enter the Lockout Time, in minutes, for which the WildFire appliance locks out a user account after that user reaches the configured number of Failed Attempts.
      3. Enter the Idle Timeout, in minutes, before the user account is automatically logged out due to inactivity.
      4. Enter the Max Session Count to set how many user accounts can simultaneously access the WildFire appliance.
      5. Enter the Max Session Time the administrator can be logged in before being automatically logged out.
    3. Add the WildFire appliance administrators.
      Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you add admin1 as both a local and Panorama administrator.
      • Configure the local administrators.
        Configure new administrators unique to the WildFire appliances. These administrators are specific to the WildFire appliance for which they are created and you manage these administrators from this table.
        1. Add one or more new local administrator.
        2. Enter a Name for the local administrator.
        3. Assign an Authentication Profile you previously created.
          LDAP authentication profiles are supported only for individual local administrators.
        4. Enable (check) Use Public Key Authentication (SSH) to import a public key file for authentication.
        5. Select a Password Profile to set the expiration parameters.
      • Import existing Panorama administrators
        Import existing administrators configured on Panorama. These administrators are configured and managed on Panorama and imported to WildFire appliance.
      1. Add an existing Panorama administrator
    4. Click OK to save the WildFire appliance authentication configuration.
  3. Commit and then Commit and Push your configuration changes.
  4. Access the WildFire appliance CLI to verify you can successfully access the WildFire appliance using the local admin user.