Configure Authentication for a WildFire Cluster
Focus
Focus
Panorama

Configure Authentication for a WildFire Cluster

Table of Contents

Configure Authentication for a WildFire Cluster

Configure an administrative user, RADIUS, TACAS+, or LDAP authentication for all WildFire appliances in a WildFire cluster.
Create and configure enhanced authentication for all WildFire appliances in a WildFire cluster by configuring local administrative users with granular authentication parameters, as well as leveraging RADIUS, TACAS+, or LDAP for authorization and authentication.
When you Configure and push administrators from Panorama, you overwrite the existing administrators for all WildFire appliances in the WildFire cluster with those you configure on Panorama.

Configure a Cluster Centrally on Panorama

Before you configure a WildFire appliance cluster on a Panorama M-Series or virtual appliance, have two WildFire appliances available to configure as a high availability controller node pair and any additional WildFire appliances needed to serve as worker nodes to increase the analysis, storage capacity, and resiliency of the cluster.
If the WildFire appliances are new, check Get Started with WildFire to ensure that you complete basic steps such as confirming your WildFire license is active, enabling logging, connecting firewalls to WildFire appliances, and configuring basic WildFire features.
To create WildFire appliance clusters, you must upgrade all of the WildFire appliances that you want to place in a cluster to PAN-OS 8.0.1 or later. If you use Panorama to manage WildFire appliance clusters, Panorama also must run PAN-OS 8.0.1 or later. On each WildFire appliance that you want to add to a cluster, run show system info | match version on the WildFire appliance CLI to ensure that the appliance is running PAN-OS 8.0.1 or later. On each Panorama appliance you use to manage clusters (or standalone appliances), DashboardGeneral InformationSoftware Version displays the running software version.
When your WildFire appliances are available, perform the appropriate tasks:
Removing a node from a cluster using Panorama is not supported. Instead, Remove a Node from a Cluster Locally using the local WildFire CLI.

Configure RADIUS Authentication for a WildFire Cluster

Configure RADIUS authentication for all WildFire appliance in a WildFire cluster.
Use a RADIUS server to authenticate administrative access to the CLI of the WildFire appliances in a WildFire cluster. You can also define Vendor-Specific Attributes (VSAs) on the RADIUS server to manage administrator authorization. Using VSAs enables you to quickly change the roles, access domains, and user groups of administrators through your directory service, which is often easier than reconfiguring settings on the Panorama™ management server.
You can Import the Palo Alto Networks RADIUS dictionary into RADIUS server to define the authentication attributes needed for communication between Panorama and the RADIUS server.
  1. Configure RADIUS authentication.
    Administrator accounts configured for RADIUS authentication are required to have Superuser admin role privileges to successfully configure authentication for Wildfire appliances in the WildFire cluster.
    1. Add a RADIUS server profile.
      The profile defines how the WildFire appliances in the WildFire clust connect to the RADIUS server.
      1. Select PanoramaServer ProfilesRADIUS and Add a profile.
      2. Enter a Profile Name to identify the server profile.
      3. Enter a Timeout interval in seconds after which an authentication request times out (default is 3; range is 1–20).
      4. Select the Authentication Protocol (default is CHAP) that a WildFire appliance uses to authenticate to the RADIUS server.
        Select CHAP if the RADIUS server supports that protocol; it is more secure than PAP.
      5. Add each RADIUS server and enter the following:
        1. Name to identify the server.
        2. RADIUS Server IP address or FQDN.
        3. Secret/Confirm Secret (a key to encrypt usernames and passwords).
        4. Server Port for authentication requests (default is 1812).
      6. Click OK to save the server profile.
    2. Assign the RADIUS server profile to an authentication profile.
      The authentication profile defines authentication settings that are common to a set of administrators.
      1. Select PanoramaAuthentication Profile and Add a profile.
      2. Enter a Name to identify the authentication profile.
      3. Set the Type to RADIUS.
      4. Select the Server Profile you configured.
      5. Select Retrieve user group from RADIUS to collect user group information from VSAs defined on the RADIUS server.
        Panorama matches the group information against the groups you specify in the Allow List of the authentication profile.
      6. Select Advanced and, in the Allow List, Add the administrators that are allowed to authenticate with this authentication profile.
      7. Click OK to save the authentication profile.
  2. Configure the authentication for the WildFire cluster.
    1. Select PanoramaManaged WildFire Clusters and select the WildFire cluster you previously added.
    2. Select the Authentication Profile you configured in the previous step.
      If a global authentication profile is not assigned you must assign an authentication profile to each individual local administrator to leverage remote authentication.
    3. Configure the authentication Timeout Configuration for a WildFire appliance.
      1. Enter the number of Failed Attempts before a user is locked out of a WildFire appliance CLI.
      2. Enter the Lockout Time, in minutes, for which a WildFire appliance locks out a user account after that user reaches the configured number of Failed Attempts.
      3. Enter the Idle Timeout, in minutes, before the user account is automatically logged out due to inactivity.
      4. Enter the Max Session Count to set how many user accounts can simultaneously access a WildFire appliance.
      5. Enter the Max Session Time the administrator can be logged in before being automatically logged out.
    4. Add the WildFire appliance administrators.
      Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you add admin1 as both a local and Panorama administrator.
      1. Add and configure new administrators unique to the WildFire appliances in the WildFire cluster. These administrators are specific to the WildFire appliances in the WildFire cluster for which they are created and you manage these administrators from this table.
      2. Add any administrators configured on Panorama. These administrators are created on Panorama and imported to the WildFire appliances in the WildFire cluster.
    5. Click OK to save the WildFire cluster authentication configuration.
  3. Commit and then Commit and Push your configuration changes.
  4. Access the WildFire appliance CLI to verify you can successfully access a WildFire appliance using the local admin user.

Configure TACACS+ Authentication for a WildFire Cluster

Configure TACACS+ authentication for all WildFire appliances in a WildFire cluster.
You can use a TACACS+ server to authenticate administrative access to the CLI of the WildFire appliances in a WildFire cluster. You can also define Vendor-Specific Attributes (VSAs) on the TACACS+ server to manage administrator authorization. Using VSAs enables you to quickly change the roles, access domains, and user groups of administrators through your directory service, which is often easier than reconfiguring settings on Panorama.
  1. Configure TACACS+ authentication.
    Administrator accounts configured for TACACS+ authentication are required to have Superuser admin role privileges to successfully configure authentication for Wildfire appliances in the WildFire cluster.
    1. Add a TACACS+ server profile.
      The profile defines how a WildFire appliance connects to the TACACS+ server.
      1. Select PanoramaServer ProfilesTACACS+ and Add a profile.
      2. Enter a Profile Name to identify the server profile.
      3. Enter a Timeout interval in seconds after which an authentication request times out (default is 3; range is 1–20).
      4. Select the Authentication Protocol (default is CHAP) that Panorama uses to authenticate to the TACACS+ server.
      5. Select CHAP if the TACACS+ server supports that protocol; it is more secure than PAP.
      6. Add each TACACS+ server and enter the following:
        1. Name to identify the server.
        2. TACACS+ Server IP address or FQDN.
        3. Secret/Confirm Secret (a key to encrypt usernames and passwords).
        4. Server Port for authentication requests (default is 49).
      7. Click OK to save the server profile.
    2. Assign the TACACS+ server profile to an authentication profile.
      The authentication profile defines authentication settings that are common to a set of administrators.
      1. Select PanoramaAuthentication Profile and Add a profile.
      2. Enter a Name to identify the profile.
      3. Set the Type to TACACS+.
      4. Select the Server Profile you configured.
      5. Select Retrieve user group from TACACS+ to collect user group information from VSAs defined on the TACACS+ server.
        Panorama matches the group information against the groups you specify in the Allow List of the authentication profile.
      6. Select Advanced and, in the Allow List, Add the administrators that are allowed to authenticate with this authentication profile.
      7. Click OK to save the authentication profile.
  2. Configure the authentication for the WildFire cluster.
    1. Select PanoramaManaged WildFire Clusters and select the WildFire cluster you previously added.
    2. Select the Authentication Profile you configured in the previous step.
      If a global authentication profile is not assigned you must assign an authentication profile to each individual local administrator to leverage remote authentication.
    3. Configure the authentication Timeout Configuration for a WildFire appliance.
      1. Enter the number of Failed Attempts before a user is locked out of a WildFire appliance CLI.
      2. Enter the Lockout Time, in minutes, for which a WildFire appliance locks out a user account after that user reaches the configured number of Failed Attempts.
      3. Enter the Idle Timeout, in minutes, before the user account is automatically logged out due to inactivity.
      4. Enter the Max Session Count to set how many user accounts can simultaneously access a WildFire appliance.
      5. Enter the Max Session Time the administrator can be logged in before being automatically logged out.
    4. Add the WildFire appliance administrators.
      Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you add admin1 as both a local and Panorama administrator.
      1. Add and configure new administrators unique to the WildFire appliances in the WildFire cluster. These administrators are specific to the WildFire appliances in the WildFire cluster for which they are created and you manage these administrators from this table.
      2. Add any administrators configured on Panorama. These administrators are created on Panorama and imported to the WildFire appliances in the WildFire cluster.
    5. Click OK to save the WildFire cluster authentication configuration.
  3. Commit and then Commit and Push your configuration changes.
  4. Access the WildFire appliance CLI to verify you can successfully access a WildFire appliance using the local admin user.

Configure LDAP Authentication for a WildFire Cluster

Configure LDAP authentication for all WildFire appliances in a WildFire cluster.
You can use LDAP to authenticate end users to access the CLI of the WildFire appliances in a WildFire cluster.
  1. Add an LDAP server profile.
    The profile defines how a WildFire appliance connects to the LDAP server.
    Administrator accounts configured for LDAP authentication are required to have Superuser admin role privileges to successfully configure authentication for WildFire appliances in the WildFire cluster.
    1. Select PanoramaServer ProfilesLDAP and Add a server profile.
    2. Enter a Profile Name to identify the server profile.
    3. Add the LDAP servers (up to four). For each server, enter a Name (to identify the server), LDAP Server IP address or FQDN, and server Port (default 389).
      If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.
    4. Select the server Type.
    5. Select the Base DN.
      To identify the Base DN of your directory, open the Active Directory Domains and Trusts Microsoft Management Console snap-in and use the name of the top-level domain.
    6. Enter the Bind DN and Password to enable the authentication service to authenticate the firewall.
      The Bind DN account must have permission to read the LDAP directory.
    7. Enter the Bind Timeout and Search Timeout in seconds (default is 30 for both).
    8. Enter the Retry Interval in seconds (default is 60).
    9. (Optional) If you want the endpoint to use SSL or TLS for a more secure connection with the directory server, enable the option to Require SSL/TLS secured connection (enabled by default). The protocol that the endpoint uses depends on the server port:
      • 389 (default)—TLS (Specifically, the WildFire appliance uses the StartTLS operation, which upgrades the initial plaintext connection to TLS.)
      • 636—SSL
      • Any other port—The WildFire appliance first attempts to use TLS. If the directory server doesn’t support TLS, the WildFire appliance falls back to SSL.
    10. (Optional) For additional security, enable to the option to Verify Server Certificate for SSL sessions so that the endpoint verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option to Require SSL/TLS secured connection. For verification to succeed, the certificate must meet one of the following conditions:
      • It is in the list of Panorama certificates: PanoramaCertificate ManagementCertificatesDevice Certificates. If necessary, import the certificate into Panorama.
      • The certificate signer is in the list of trusted certificate authorities: PanoramaCertificate ManagementCertificates.
    11. Click OK to save the server profile.
  2. Configure the authentication for the WildFire cluster.
    1. Select PanoramaManaged WildFire Clusters and select the WildFire cluster you previously added.
    2. Configure the authentication Timeout Configuration for a WildFire appliance.
      1. Enter the number of Failed Attempts before a user is locked out of a WildFire appliance CLI.
      2. Enter the Lockout Time, in minutes, for which a WildFire appliance locks out a user account after that user reaches the configured number of Failed Attempts.
      3. Enter the Idle Timeout, in minutes, before the user account is automatically logged out due to inactivity.
      4. Enter the Max Session Count to set how many user accounts can simultaneously access a WildFire appliance.
      5. Enter the Max Session Time the administrator can be logged in before being automatically logged out.
    3. Add the WildFire appliance administrators.
      Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you add admin1 as both a local and Panorama administrator.
      • Configure the local administrators.
        Configure new administrators unique to the WildFire appliances in the WildFire cluster. These administrators are specific to the WildFire appliances in the WildFire cluster for which they are created and you manage these administrators from this table.
        1. Add one or more new local administrator.
        2. Enter a Name for the local administrator.
        3. Assign an Authentication Profile you previously created.
          LDAP authentication profiles are supported only for individual local administrators.
        4. Enable (check) Use Public Key Authentication (SSH) to import a public key file for authentication.
        5. Select a Password Profile to set the expiration parameters.
      • Import existing Panorama administrators
        Import existing administrators configured on Panorama. These administrators are configured and managed on Panorama and imported to all WildFire appliances in the WildFire cluster.
      1. Add an existing Panorama administrator
    4. Click OK to save the WildFire cluster authentication configuration.
  3. Commit and then Commit and Push your configuration changes.
  4. Access the WildFire appliance CLI to verify you can successfully access the WildFire appliance using the local admin user.