Configure Explicit Proxy Mobile Users using Cloud Identity Engine (Recommended) (Panorama)
Focus
Focus
Prisma Access

Explicit Proxy Mobile Users

Table of Contents


Configure Explicit Proxy Mobile Users using Cloud Identity Engine (Recommended) (
Panorama
)

Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to authenticate Prisma Access mobile users in a Mobile Users—Explicit Proxy deployment.
To configure the Cloud Authentication Service to authenticate Explicit Proxy mobile users, you must have the following minimum required product and software versions:
  • A minimum Prisma Access version of 3.2 (either Preferred or Innovation).
  • A minimum Panorama version of 10.1.3.
  • A minimum dataplane version of 10.1.3.
    To verify your dataplane version, select
    Panorama
    Cloud Services
    Configuration
    Service Setup
    and view the
    Current Dataplane version
    in the
    DataPlane PAN-OS version
    area. If your dataplane version is lower than 10.1.3, reach out to your Palo Alto Networks account representative and submit a request.
  • A SAML IdP provider that is supported with the Cloud Identity Engine.
    All IdP providers that are supported by the Cloud Identity Engine are supported, including Azure, Okta, PingOne, PingFederate, and Google.
To configure authentication for a Mobile Users—Explicit Proxy deployment using the Cloud Identity Engine, complete the following steps.
  1. From the Panorama that manages Prisma Access, set up and configure a Mobile Users—Explicit Proxy deployment.
    Before you configure Explicit Proxy guidelines, be aware of how explicit proxy works and how explicit proxy identifies users, go through the planning checklist, and learn how to set up the Explicit Proxy PAC file.
  2. From the Panorama that manages Prisma Access, install the Panorama device certificate.
    You must generate a one-time password (OTP) and retrieve the device certificate to successfully authenticate Panorama with the Cloud Identity Engine.
    1. Log into the Customer Support Portal to generate the One Time Password (OTP).
    2. Select
      Assets
      Device Certificates
      and
      Generate OTP
      .
    3. For the
      Device Type
      , select
      Generate OTP for Panorama
      and
      Generate OTP
      .
    4. Select the
      Panorama Device
      serial number.
    5. Generate OTP
      and
      Copy to Clipboard
      .
    6. From the Panorama that manages Prisma Access, select
      Panorama
      Setup
      Management
      Device Certificate Settings
      and
      Get certificate
      .
      When you have successfully installed the certificate, the
      Current Device Certificate Status
      (
      Panorama
      Setup
      Management
      Device Certificate
      ) displays as
      Valid
      .
  3. From the hub, activate the Cloud Identity Engine if you have not yet done so to create your first instance.
    1. Activate
      the Cloud Identity Engine.
      If the Activate button is not available, ensure that your role has the necessary privileges.
    2. Enter the information for your Cloud Identity Engine instance.
      • Select the
        Company Account
        for the instance.
      • Specify an
        Name
        to identify the instance.
      • (
        Optional
        ) Enter a
        Description
        to provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
      • Select a
        Region
        .
        Make a note of the region; you specify the same region when you create an authentication profile in Panorama.
      • Agree to the
        EULA
        .
    3. Agree & Activate
      the instance.
    4. On the Activation Details page, select the hub in the upper left.
    5. The
      Cloud Identity Engine
      displays.
  4. (
    Optional
    ) If you require a separate instance for Explicit Proxy, configure a Cloud Identity Engine Instance.
    If you want to isolate your Explicit Proxy directory data, or allow different Palo Alto Networks cloud applications and services to access different sets of directory data, you can create a Cloud Identity Engine instance specifically for Explicit Proxy.
    1. Log in to the hub.
    2. Click the gear in the upper right corner of the page to manage the settings; then, select
      Manage Apps
      and click
      Add Instance
      .
    3. Configure the instance.
      • Select the
        Company Account
        for the instance.
      • Specify an
        Name
        to identify the instance.
      • (
        Optional
        ) Enter a
        Description
        to provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
      • Select a
        Region
        .
        Make a note of the region; you specify the same region when you create an authentication profile in Panorama.
      • Agree to the
        EULA
        .
    4. Agree & Activate
      the instance.
  5. Set up an authentication profile in the Cloud Identity Engine and select the users and groups that can use this authentication method.
    You specify this profile when you create an authentication profile in Panorama in a later step.
  6. Return to the Panorama that manages Prisma Access and configure an authentication profile to use with the Cloud Authentication Engine.
    1. Select
      Device
      Authentication Profile
      and
      Add
      an authentication profile.
      Be sure that you are in the
      Explicit_Proxy_Template
      .
    2. Enter a
      Name
      for the Authentication profile.
    3. Select
      Cloud Authentication Service
      as the
      Type
      .
    4. Select the
      Region
      of your Cloud Identity Engine instance.
      Specify the same region you used when you created your Cloud Authentication Engine instance.
    5. Select the Cloud Identity Engine
      Instance
      to use for this Authentication profile.
    6. Select an authentication
      Profile
      that specifies the authentication type you want to use to authenticate users.
      Specify the authentication profile you created in the Cloud Identity Engine.
    7. Specify the
      Maximum Clock Skew (seconds)
      , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
    8. (
      Optional
      ) If the profile you selected has multi-factor authentication (MFA) enabled, select
      Force multi-factor authentication in cloud
      .
      Selecting this option means that the IdP (for example, Okta) specified by the profile is responsible for performing MFA. If you select this check box and incorrect MFA information is received from the Cloud Identity Engine, authentication fails.
    9. Click
      OK
      .
  7. Allow the necessary authentication traffic to be passed to Explicit Proxy.
    1. Create a URL list as a custom URL category to allow the necessary traffic for the Cloud Identity Engine.
    2. Add the following Cloud Identity Engine URLs to the URL category.
      If you do not need to strictly limit traffic to your region, you can enter
      *.apps.paloaltonetworks.com
      . Otherwise, determine your region-based URL using the
      show cloud-auth-service-regions
      command in the Cloud Identity Engine to display the URLs for the region associated with your Cloud Identity Engine instance and enter each region-based URL. The following table includes the URLs for each region:
      Region
      Cloud Identity Engine Region-Based URL
      United States
      cloud-auth.us.apps.paloaltonetworks.com
      cloud-auth-service.us.apps.paloaltonetworks.com
      Europe
      cloud-auth.nl.apps.paloaltonetworks.com
      cloud-auth-service.nl.apps.paloaltonetworks.com
      United Kingdom
      cloud-auth.uk.apps.paloaltonetworks.com
      cloud-auth-service.uk.apps.paloaltonetworks.com
      Singapore
      cloud-auth.sg.apps.paloaltonetworks.com
      cloud-auth-service.sg.apps.paloaltonetworks.com
      Canada
      cloud-auth.ca.apps.paloaltonetworks.com
      cloud-auth-service.ca.apps.paloaltonetworks.com
      Japan
      cloud-auth.jp.apps.paloaltonetworks.com
      cloud-auth-service.jp.apps.paloaltonetworks.com
      Australia
      cloud-auth.au.apps.paloaltonetworks.com
      cloud-auth-service.au.apps.paloaltonetworks.com
      Germany
      cloud-auth.de.apps.paloaltonetworks.com
      cloud-auth-service.de.apps.paloaltonetworks.com
      United States - Government
      cloud-auth-service.gov.apps.paloaltonetworks.com
      cloud-auth.gov.apps.paloaltonetworks.com
      India
      cloud-auth-service.in.apps.paloaltonetworks.com
      cloud-auth.in.apps.paloaltonetworks.com
    3. Enter the URLs that your IdP requires for user authentication (for example,
      *.okta.com
      ) in the custom URL category.
    4. Create a security policy rule to allow traffic to the authentication type and Cloud Identity Engine and select the custom URL category as the match criteria.
  8. Specify the authentication profile for Explicit Proxy.
    1. Select
      Panorama
      Cloud Services
      Configuration
      Mobile Users—Explicit Proxy
      .
    2. Select the
      Connection Name
      .
    3. Specify the Cloud Identity Engine
      Authentication Profile
      .
  9. Commit and Push
    your changes.
  10. Verify that the Cloud Identity Engine is successfully authenticating your Explicit Proxy mobile users.
    1. From the Panorama that manages Prisma Access, select
      Monitor
      Logs
      Authentication
      .
    2. View the
      Event
      status.
      If the authentication fails, view the
      Description
      for more details about the failure.
    3. From the mobile user’s endpoint, use dev tools to view the Cloud Identity Engine authentication flow.


Recommended For You