Palo Alto PAN-OS Windows AD Integration Tech Note

Palo Alto AD Integration

The Palo Alto Networks firewall can be integrated with Microsoft’s Windows Active Directory through LDAP. The new version of PAN-OS allows agentless authentication with Active Directory Domain controller; however, WMI settings (Windows Management Instrumentation) on the AD Domain Controller must be modified and you must be Domain Admin to do so.

 

Prerequisites

Before you integrate a Palo Alto Networks device with AD, you must create a user ID in AD that you'll use to access LDAP. At a minimum, this account must be a member of the built-in Server Operators group in AD. For security reasons and to be compliant with the best practices, you should adhere to the minimum access rights for this account.

For this demonstration, we created a user, paloaltoladap@paynetonline.com, in AD with an appropriate password, and we added this account to Server Operators Group.

 

 

Definitions

 

Windows Management Instrumentation (WMI) is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components. CIM is developed and maintained by the Distributed Management Task Force (DMTF).

 

Obtaining management data from remote computers makes WMI useful. Remote WMI connections are made through DCOM. An alternative is to use Windows Remote Management (WinRM), which obtains remote WMI management data using the WS-Management SOAP-based protocol.

 

Management applications or scripts can get data or perform operations through WMI in a variety of languages.

 

Common Information Model version 2 is an open standard that defines how managed elements in an IT environment are represented as a common set of objects and relationships between them. The Distributed Management Task Force maintains the CIM to allow consistent management of these managed elements, independent of their manufacturer or provider.

 

One way to describe CIM is to say that it allows multiple parties to exchange management information about managed elements. However, this description falls short because CIM not only represents these managed elements and the management information, but also provides means to actively control and manage these elements. By using a common model of information, management software can be written once, then work with many implementations of the common model without complex and costly conversion operations or loss of information.

 

The Palo Alto Networks operationg system is based on the Unix platform, an open standard that anyone can modify, but the industry also agreed to some standards ensure the devices can talk to each other. This is why you need to make small changes to WMI on the Domain Controller in the agentless integration with AD.

 

 

Modifying WMI

After you log in as a Domain Admin to Domain Controller, launch WMI by entering wmimgmt.msc on the Start Run menu. The following GUI displays:

 

 

 

Highlight WMI Control (Local), go to the properties and click the Security tab to access the root of CIMV2:

 

 

 

Double-click Root to expand it and navigate to the root of CIMV2. Expand it to get to Security folder, where you add the paloaltoladap@paynetonline.com user account.

 

 

 

 

Grant Enable Account and Remote Enable permissions to the paloaltoladap@paynetonline.com account.

 

 

Save all the changes, and you're ready to configure the Palo Alto Networks integration with the AD.

 

 

Overview of the Palo Alto Networks WebGUI

 

The Web-based GUI is user friendly, but some functions are unique to Palo Alto Networks. Gear boxes allow users to access additional configuration options.

 

 

Locate the Add button at the bottom of the GUI.

 

 

Changes to the configuration file do not take effect until you Commit the changes. Saving changes does not commit them. The GUI has three options in the upper right corner: Commit, Lock, and Save:

 

 

• Commit is grayed out if there are no changes to the config file—if there are changes, the option is light blue.
• Lock prevents any changes to the config file.
• Save allows changes without committing them.

 

Config changes do not require rebooting.

 

The main GUI is divided into two sections—tabs on the top and the left pane with configuration settings for each option defined in tabs.

 

 

Subtabs allow configuring additional options.

 

 

To integrate with the Windows AD, you must enter the IP addresses of the Windows DNS servers and the NTP server. After you log in to the Palo Alto Networks device, click the Device tab and Setup in the left pane. From the subtab menu, click the Services tab, then the Gear box in the corner, as shown in the following example.

 

 

Under Services, add IP addresses for the Primary and Secondary DNS servers. 

 

 

 

Under NTP, add the IP address for the NTP server.

 

 

After you configure DNS settings, familiarize yourself with the following options in the left pane: Administrators, User Identification, Server Profiles > LDAP, and Authentication Profile.

 

 

 

It's a good idea to follow a specific sequence to configure integration with AD to eliminate errors. We recommend starting with LDAP configuration. You will expand the Server Profiles section and navigate to LDAP. In the lower left corner of the GUI, click Add.

 

 

LDAP—at the lower left corner of the GUI, click the Add button to add LDAP Server Profile.

 

 

The LDAP Server Profile displays, allowing you to configure authentication with the LDAP server. Because you can have more than one LDAP Server Profile, it's important to give each one a logical name.

 

Have the following information ready before proceeding with the configuration:

• LDAP server name
• LDAP server IP address
• LDAP port number
• User account and the password that you used in WMI configuration
• Base pointers

Because there are multiple implementations of LDAP and Palo Alto Networks supports SSL to authenticate with the LDAP, the setting for LDAP type is set to other and the SSL option is checked.

 

You must name the LDAP Server Profile or you'll be unable to save the configuration. Select a clear and logical name, since you may have multiple LDAP Server Profiles. This name can also follow company naming standards. A clear and understandable naming scheme is extremely helpful when troubleshooting.

 

 

The LDAP Servers configuration box is divided into columns and rows. Each row has a cell that must be populated with the appropriate values. To populate the cell, click until it turns Yellow and the cursor starts blinking. After you fill out information in the cell, tab to the next one. 

 

 

For the type of the LDAP server, select active-directory from the drop-down menu.

 

 

The Base can be entered manually or it will populate after you enter Bind DN login id and the password.  If you don’t have SSL configured to connect to LDAP, then uncheck the SSL or you won't be able to connect to the LDAP Server.

 

 

After you click OK, commit the change to the running config. Now you are ready to establish WMI connection with the Windows Domain Servers.

 

Click User Identification in the left pane, User Mapping tab, then the Gear box to enter the same credentials you used to configure WMI settings on the Domain server—in this case, the credentials are paloaltoldap.  

 

 

Specify the domain where the user account resides—in this case, it is paynetonline\paloaltoldap.

 

 

Complete all the steps, then add your Windows Domain Controllers by clicking Discover in the Server Monitoring section. The Domain Controllers self-populates with a status of Connected. This is indicates that you have successfully established connection with the Windows AD LDAP.  A status of Disconnected (Red) means a mistake in the configuration, most likely, an authentication issue.  Verify WMI configuration and account credentials. 

 

 

The next step is to create the Authentication Profile. There could be several authentication profiles; therefore, it is important to logically name them. Click Authentication Profile in the left pane, then click Add.

 

 

It's important to use a clear and logical name for Authentication Profile because you may have multiple profiles with various users’ rights. Secondly, Palo Alto Networks PAN-OS doesn't allow saving an Authentication Profile without a name. Switch Authentication type from Local Database to LDAP by clicking the arrow to expand the drop-down menu.

 

 

 

Select the Server Profile you just created in the previous section and set the Login Attribute to sAMAccountNAme.

 

 

 

sAMAccountNAme is an important setting. This attribute specifies the login name used to support clients and servers running LAN manager and older versions of the operating system, such as Windows NT 4.0, Windows 95, and Microsoft Windows 98.

 

cn: SAM-Account-Name

ldapDisplayName: sAMAccountName

attributeId: 1.2.840.113556.1.4.221

attributeSyntax: 2.5.5.12

omSyntax: 64

isSingleValued: TRUE

schemaIdGuid: 3e0abfd0-126a-11d0-a060-00aa006c33ed

systemOnly: FALSE

searchFlags: fPRESERVEONDELETE| fANR | fATTINDEX

rangeLower: 0

rangeUpper: 256

attributeSecurityGuid: 59ba2f42-79a2-11d0-9020-00c04fc2d3cf

isMemberOfPartialAttributeSet: TRUE

systemFlags: FLAG_SCHEMA_BASE_OBJECT |

 FLAG_ATTR_REQ_PARTIAL_SET_MEMBER

schemaFlagsEx: FLAG_ATTR_IS_CRITICAL

 

You cannot log in using your Windows login user name if the sAMAccountNAme attribute is undefined.

 

The last step is to add or create login accounts for the firewall’s administrators. The accounts have to match account naming conventions used in your Active Directory. Click the Administrators link in the left pane, then click Add.

 

 

The name must match the user ID in the Active Directory. For the Authentication Profile, select the profile you just created in the previous section—in this case, it is Paynet Admins.

 

 

After you switch the Authentication Profile, you do not have to enter any passwords. By default, all the Firewall Admins are set to Superuser.

 

 

Firewall Admin rights can be set to:

• Superuser
• Superuser (read-only)
• Device administrator
• Device administrator (read-only)

 

Finally, the following is what you see after the configuration is complete. Notice that the Authentication Profile column tells you which profile is being used by each user.