Securing your SAML Deployments

87757

Created On 06/23/20 18:12 PM - Last Modified 06/30/20 18:17 PM

GlobalProtect Gateway

GlobalProtect Portal

SAML

GlobalProtect

Prisma Access

Hardware

PAN-OS

Panorama

VM-Series

Objective

If you are a Palo Alto Network customer and do not use SAML on your NGFW, VM-Series, Panorama devices, or on Prisma Access, you are NOT IMPACTED by CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication.

Check if you are using SAML
If you are using SAML, apply mitigations if your SAML Identity Provider allows it
Consider immediately upgrading NGFW, Panorama and VM-Series firewalls to the latest maintenance versions of PAN-OS

Environment

NGFW, VM-Series
Panorama
GlobalProtect Portal/Gateway
Prisma Access
SAML

Procedure

Decision Tree for Securing your SAML deployments

For Panorama, NGFW, VM-Series Customers (including GlobalProtect)
Configuration	Next Steps
If SAML is NOT configured [check your configuration]	No action required. Stop.
If SAML is configured	Solution - With Upgrade	Solution - Without Upgrade
If SAML is configured	Before you upgrade Ensure that you configure the signing certificate of your SAML Identity Provider as the Identity Provider Certificate. Ensure that your SAML IdP sends signed SAML Responses, Assertions or both. Upgrade immediately to PAN-OS 8.1.15, 9.0.9, 9.1.3 (as applicable), or later releases. We recommend prioritizing Global Protect Gateways and Portals over upgrading other Firewalls/Panorama. After you upgrade Invalidate previously issued GlobalProtect Auth Override Cookies Invalidate users who were previously authenticated through Captive Portal/Authentication Portal	Your IdP must allow CA-issued certificates to apply these mitigations and reduce risk. Verify this first with your IdP administrator before proceeding. Ensure that your SAML IdP sends signed SAML Responses, Assertions or both. Ensure that you configure the signing certificate of your SAML Identity Provider as the Identity Provider Certificate. Ensure that you have enabled Validate Identity Provider Certificate on PAN-OS/Panorama Invalidate previously issued GlobalProtect Auth Override Cookies Invalidate sessions of administrators who were previously authenticated through SAML Admin Authentication. Invalidate users who were previously authenticated through Captive Portal/Authentication Portal

For Prisma Access Customers
Configuration	Next Steps
If SAML is NOT configured [check your configuration]	No action required. Stop.
If SAML is configured	Prisma Access upgrade completed on Jun 29, 2020 - 05:01 UTC After you upgrade: For Prisma Access Panorama Managed Invalidate previously issued GlobalProtect Auth Override Cookies For Prisma Access Cloud Managed No action required. Stop.
If SAML is configured

Technical Details & How To

1. Check if SAML is configured

When using Panorama

Step 1

Check whether SAML authentication is enabled for Panorama administrator authentication. Navigate to Panorama > Server Profiles > SAML Identity Provider:

If you don’t see any profiles, then you haven’t configured SAML. Proceed to Step 2.
If you see profiles then you are using SAML. Immediate action is required to upgrade to the latest maintenance release, or apply suggested configuration to mitigate if an upgrade is not possible.

Step 2

Check whether SAML authentication is enabled for firewalls managed by Panorama. Navigate to Device > [template] > Server Profiles > SAML Identity Provider. Check each Template.

If you don’t see any profiles, then you haven’t configured SAML. Immediate action is not required. Please plan to upgrade to the latest maintenance release of PAN-OS at the earliest convenience.
If you see profiles then you are using SAML. Immediate action is required to upgrade to the latest maintenance release, or apply suggested configuration to mitigate if an upgrade is not possible.

When using NGFWs only (no Panorama)

On each firewall, check whether SAML authentication is enabled for firewalls. Navigate to Device > Server Profiles > SAML Identity Provider.

If you don’t see any profiles, then you haven’t configured SAML. Immediate action is not required. Please plan to upgrade to the latest maintenance release of PAN-OS at the earliest.
If you see profiles then you are using SAML.Immediate action is required to upgrade to the latest maintenance release, or apply suggested configuration to mitigate if an upgrade is not possible.

2. Solution without Upgrade

For Panorama, NGFW, VM-Series Customers (including GlobalProtect)

Before you proceed:

To apply this mitigation, you need the signing certificate used by your IdP to be a Certificate Authority (CA) issued certificate.
Many popular IdP providers issue a self-signed certificate by default but provide options to use a certificate issued by your CA. While some IdPs like Azure provide UI options to upload CA-issued certificates, others like Okta might need you to make API calls. We recommend that you first review the links provided in Step 3 with your IdP Administrator to determine the feasibility of this mitigation.
CA-issued certificates cannot be used if your IdP is Duo Access Proxy or Google Cloud Identity. Immediate action is required to upgrade to the latest maintenance release of PAN-OS.

Step 1 - Verify that your IdP is signing SAML responses and/or assertion

Step 2 - Check if SAML IdP Server Profiles are set up with IDP Certificate certificate

Step 3 - Check if “Validate Identity Provider Certificate” is enabled

Step 4 - Invalidate previously issued GlobalProtect Auth Override Cookies

If using GlobalProtect Authentication Override Cookies, the authentication override cookies issued prior to the PAN-OS upgrade may still be valid. To terminate those sessions and force the users to re-login, it is required to change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using Panorama or the firewall web interface, and commit the changes to the firewalls running the GlobalProtect Portals & Gateways.
Reboot the GlobalProtect Portals and Gateways to disconnect any existing sessions.

Step 5 - Invalidate sessions of administrators users who were previously authenticated through SAML Admin Authentication

Please note: Restarting firewalls and Panorama eliminates any unauthorized sessions on the web interface. If you have restarted the firewall/Panorama, the following steps are not necessary.

If you are using SAML for Admin Authentication and have not restarted the firewall/Panorama, run the following commands:
To delete all admin sessions:
- delete admin-sessions
To find admins authenticated via UI and delete those admin sessions:
- show admins
- delete admin-sessions username <admin-username>

Step 6 - Invalidate users who were previously authenticated through Captive Portal/Authentication Portal

If using Captive Portal or Authentication Portal, run the following commands:
- show user ip-user-mapping all type SSO
- clear user-cache-mp <above IP-addresses>
- clear user-cache <above IP-addresses>

Stop here if you have completed the implementation of the solution that does not include upgrading Panorama, NGFW, or VM-Series (including GlobalProtect).

3. Solution with Upgrade

For Panorama, NGFW, VM-Series Customers (including GlobalProtect)

Before you Upgrade:

Step 1 - Verify that your IdP is signing SAML responses and/or assertions

Step 2 - Check if SAML IdP Server Profiles are set up with IDP Certificate certificate

Upgrade PAN-OS:

We recommend prioritizing upgrading Global Protect Gateways and Portals over upgrading other Firewalls/Panorama.

Step 3 - Consult the Release Notes for the latest maintenance release of PAN-OS:

Follow instructions in the specific Release Notes to upgrade your NGFW, VM-Series, or Panorama appliances to the latest maintenance release.

After you upgrade PAN-OS:

Step 4 - Invalidate previously issued GlobalProtect Auth Override Cookies

If using GlobalProtect Authentication Override Cookies, the authentication override cookies issued prior to the PAN-OS upgrade may still be valid. To terminate those sessions and force the users to re-login, it is required to change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using Panorama, then commit the changes to the firewalls running the GlobalProtect Portals & Gateways.
Reboot the GlobalProtect Portals and Gateways to disconnect any existing sessions.

Step 5 - Invalidate users who were previously authenticated through Captive Portal/Authentication Portal

If using Captive Portal or Authentication Portal, run the following commands:
- show user ip-user-mapping all type SSO
- clear user-cache-mp <above IP-addresses>
- clear user-cache <above IP-addresses>

Stop here if you have completed the implementation of the solution to upgrade Panorama, NGFW, or VM-Series (including GlobalProtect).

Prisma Access Customers using Panorama to manage Prisma Access Firewalls

Prisma Access upgrade completed on Jun 29, 2020 - 05:01 UTC

After the Prisma Access Upgrade:

Step 1 - Invalidate previously issued GlobalProtect Auth Override Cookies

If using GlobalProtect Authentication Override Cookies, the authentication override cookies issued prior to the Prisma Access upgrade may still be valid. To terminate those sessions and force the users to re-login, it is required to change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using Panorama and commit and push the changes.

After you have made the previous changes, Prisma Access automatically logs out old GlobalProtect user sessions, and the GlobalProtect App on the endpoint will re-authenticate the user to establish a new connection.

Stop here if you have completed the implementation of the solution to upgrade Panorama, NGFW, or VM-Series (including GlobalProtect).

Referenced Documentation

Verify that your IdP is signing SAML responses and/or assertions

If you are using Microsoft ADFS, Microsoft Azure, Google Cloud Identity, OneLogin, PingFederate, or PingOne as your SAML IdP, proceed to the next step.
If you are using Okta or any other IdP, verify that your IdP is signing SAML responses and/or assertions. As a security best practice, you must configure your IdP to sign the SAML response, the SAML assertion, or both.

SAML IdP Provider	Action
ADFS Azure AD Google OneLogin PingFederate Ping One	SAML Responses and/or Assertions are signed. Proceed to the next step
Okta	Proceed to the next step if you have used any of the below Integrations on OIN(Okta Integration Network) to setup SAML profile Palo Alto Networks - GlobalProtect Palo Alto Networks - Admin UI Palo Alto Networks - CaptivePortal Action required, if you have set up the SAML configuration in Okta using App Integration Wizard. Ensure that you are sending signed responses, signed assertions, or both.
Duo Access Gateway	Proceed to the next step if you are using Palo Alto Networks integration on Duo Access Gateway. Action required if you have set up the SAML Configuration using Generic Service Provider integration on Duo Access Gateway. Ensure that you are sending signed responses, signed assertions, or both
Other IdPs	Please verify that you have configured your IdP to sign SAML responses, assertions, or both.

Return to Solution without Upgrade
Return to Solution with Upgrade

Check if SAML IdP Server Profiles are set up with IDP certificate

Ensure that the IdP Certificate is configured across all SAML IdP profiles on the firewall and Panorama that are used to authenticate to GlobalProtect, Captive & Authentication Portals, and the administrative web interface.

Verify that you have selected the Identity Provider Certificate that your IdP uses to sign SAML messages.
If you do not have your Identity Provider (IdP) certificate available in the drop-down, you must add one. Use the instructions in Step 2 in this link.

Return to Solution without Upgrade
Return to Solution with Upgrade

Check if “Validate Identity Provider Certificate” is enabled

Ensure that Validate Identity Provider Certificate is configured across all SAML IdP profiles on the firewall and Panorama that are used to authenticate to GlobalProtect, Captive & Authentication Portals, and the administrative web interface. If this is enabled, no further actions are needed.

To enable Validate Identity Provider Certificate, you will need the signing certificate used by your IdP to be issued by a Certificate Authority (CA). While popular IdPs issue a self-signed certificate by default, they generally allow you to use a certificate issued by your CA. Some IdPs like Azure provide UI options to upload CA-issued certificates, and others like Okta need you to make API calls to use your own certificate. Talk to your IdP administrator to ensure that the IdP is configured correctly to enable this.

Here are a few helpful links to guide the conversation with your IdP administrator:

SAML IdP Provider	Links
ADFS	Additional Guidance
Azure AD	Additional Guidance
Duo Access Gateway	Customers should upgrade to PAN-OS 8.1.15, 9.0.9, 9.1.3 or later.
Google Cloud Identity	Customers should upgrade to PAN-OS 8.1.15, 9.0.9, 9.1.3 or later.
Okta	Additional Guidance
Ping One	Additional Guidance
OneLogin	Additional Guidance
Other IdPs	Once a CA-issued certificate has been configured on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this: Ask your IdP administrator for IdP metadata. Import the IdP metadata into PAN-OS and/or Panorama, ensure that the Validate Identity Provider Certificate checkbox is enabled, then click OK to save the SAML IdP server profile. Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate. Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile. Commit the configuration to Panorama and/or the firewalls.