How to Set Up Secure Communication between Palo Alto Networks Firewall and User-ID Agent
Resolution
Starting from PAN-OS 8.0, we have an option to have a secure communication, with the help of certificates, between the firewall and the User-ID Agent.
NOTE: This requires the firewall to be on PAN-OS 8.0 (or later) as well as the User-ID agent to be on 8.0 (or later).
In this process, the UIA (User-ID Agent) will present a certificate to the firewall to validate. The firewall will check this certificate as per the certification profile configured. If it passes all the checks in the certificate profile, the firewall will accept the connection from the UIA. This can ensure safety against "rogue" UIAs.
Here's a step-by-setup walkthrough to configure this:
1. Launch the UIA, you should see a new option called 'Server Certificate':
2. We need to create a new CSR for the UIA and get it signed by either an external CA, in-house CA or a self-signed certificate present in the firewall. (Note: We will need the CA certificate to be present on the firewall so we can use it in the Certificate profile and validate the UIA's certificate).
3. Once we have a certificate, we can import it in the UIA along with its private key. Make sure to commit the configuration.
4. Create a new certificate profile and use the CA used to sign the UIA's CSR.
5. You should see a new tab under Device >User Identification, called 'Connection Security':
6. Choose the certificate profile created in step 4.
7. If the commit goes well, you should see the UIA connected successfully with the firewall.
Failure Scenario
If an incorrect or no certificate is present on the UIA while Connection Security is enabled on the firewall, you will see the following log entry in the System (and userid) logs:
For the same failure, on the agent, you would see the following logs (under Monitoring->Logs):
Hope this helped. Stay safe!