Securing your SAML Deployments
Objective
If you are a Palo Alto Network customer and do not use SAML on your NGFW, VM-Series, Panorama devices, or on Prisma Access, you are NOT IMPACTED by CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication.
- Check if you are using SAML
- If you are using SAML, apply mitigations if your SAML Identity Provider allows it
- Consider immediately upgrading NGFW, Panorama and VM-Series firewalls to the latest maintenance versions of PAN-OS
Environment
- NGFW, VM-Series
- Panorama
- GlobalProtect Portal/Gateway
- Prisma Access
- SAML
Procedure
For Panorama, NGFW, VM-Series Customers (including GlobalProtect) | ||
---|---|---|
Configuration |
Next Steps | |
If SAML is NOT configured |
No action required. Stop. | |
If SAML is configured |
Solution - With Upgrade |
Solution - Without Upgrade |
Before you upgrade
|
Your IdP must allow CA-issued certificates to apply these mitigations and reduce risk. Verify this first with your IdP administrator before proceeding.
|
For Prisma Access Customers | ||
---|---|---|
Configuration |
Next Steps | |
If SAML is NOT configured |
No action required. Stop. | |
If SAML is configured |
Prisma Access upgrade completed on Jun 29, 2020 - 05:01 UTC After you upgrade:
| |
Technical Details & How To
1. Check if SAML is configured
Step 1
-
If you don’t see any profiles, then you haven’t configured SAML. Proceed to Step 2.
-
If you see profiles then you are using SAML. Immediate action is required to upgrade to the latest maintenance release, or apply suggested configuration to mitigate if an upgrade is not possible.
-
If you don’t see any profiles, then you haven’t configured SAML. Immediate action is not required. Please plan to upgrade to the latest maintenance release of PAN-OS at the earliest convenience.
-
If you see profiles then you are using SAML. Immediate action is required to upgrade to the latest maintenance release, or apply suggested configuration to mitigate if an upgrade is not possible.
When using NGFWs only (no Panorama)
On each firewall, check whether SAML authentication is enabled for firewalls. Navigate to Device > Server Profiles > SAML Identity Provider.
-
If you don’t see any profiles, then you haven’t configured SAML. Immediate action is not required. Please plan to upgrade to the latest maintenance release of PAN-OS at the earliest.
-
If you see profiles then you are using SAML.Immediate action is required to upgrade to the latest maintenance release, or apply suggested configuration to mitigate if an upgrade is not possible.
2. Solution without Upgrade
Before you proceed:
- To apply this mitigation, you need the signing certificate used by your IdP to be a Certificate Authority (CA) issued certificate.
- Many popular IdP providers issue a self-signed certificate by default but provide options to use a certificate issued by your CA. While some IdPs like Azure provide UI options to upload CA-issued certificates, others like Okta might need you to make API calls. We recommend that you first review the links provided in Step 3 with your IdP Administrator to determine the feasibility of this mitigation.
- CA-issued certificates cannot be used if your IdP is Duo Access Proxy or Google Cloud Identity. Immediate action is required to upgrade to the latest maintenance release of PAN-OS.
Step 1 - Verify that your IdP is signing SAML responses and/or assertion
Step 2 - Check if SAML IdP Server Profiles are set up with IDP Certificate certificate
Step 3 - Check if “Validate Identity Provider Certificate” is enabled
Step 4 - Invalidate previously issued GlobalProtect Auth Override Cookies
- If using GlobalProtect Authentication Override Cookies, the authentication override cookies issued prior to the PAN-OS upgrade may still be valid. To terminate those sessions and force the users to re-login, it is required to change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using Panorama or the firewall web interface, and commit the changes to the firewalls running the GlobalProtect Portals & Gateways.
- Reboot the GlobalProtect Portals and Gateways to disconnect any existing sessions.
Please note: Restarting firewalls and Panorama eliminates any unauthorized sessions on the web interface. If you have restarted the firewall/Panorama, the following steps are not necessary.
- If you are using SAML for Admin Authentication and have not restarted the firewall/Panorama, run the following commands:
- To delete all admin sessions:
- delete admin-sessions
- To find admins authenticated via UI and delete those admin sessions:
- show admins
- delete admin-sessions username <admin-username>
Step 6 - Invalidate users who were previously authenticated through Captive Portal/Authentication Portal
- If using Captive Portal or Authentication Portal, run the following commands:
- show user ip-user-mapping all type SSO
- clear user-cache-mp <above IP-addresses>
- clear user-cache <above IP-addresses>
Stop here if you have completed the implementation of the solution that does not include upgrading Panorama, NGFW, or VM-Series (including GlobalProtect).
3. Solution with Upgrade
For Panorama, NGFW, VM-Series Customers (including GlobalProtect)
Before you Upgrade:
Step 1 - Verify that your IdP is signing SAML responses and/or assertions
Step 2 - Check if SAML IdP Server Profiles are set up with IDP Certificate certificate
Upgrade PAN-OS:
We recommend prioritizing upgrading Global Protect Gateways and Portals over upgrading other Firewalls/Panorama.
Step 3 - Consult the Release Notes for the latest maintenance release of PAN-OS:
Follow instructions in the specific Release Notes to upgrade your NGFW, VM-Series, or Panorama appliances to the latest maintenance release.
After you upgrade PAN-OS:
Step 4 - Invalidate previously issued GlobalProtect Auth Override Cookies
- If using GlobalProtect Authentication Override Cookies, the authentication override cookies issued prior to the PAN-OS upgrade may still be valid. To terminate those sessions and force the users to re-login, it is required to change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using Panorama, then commit the changes to the firewalls running the GlobalProtect Portals & Gateways.
- Reboot the GlobalProtect Portals and Gateways to disconnect any existing sessions.
Step 5 - Invalidate users who were previously authenticated through Captive Portal/Authentication Portal
- If using Captive Portal or Authentication Portal, run the following commands:
- show user ip-user-mapping all type SSO
- clear user-cache-mp <above IP-addresses>
- clear user-cache <above IP-addresses>
Prisma Access Customers using Panorama to manage Prisma Access Firewalls
Prisma Access upgrade completed on Jun 29, 2020 - 05:01 UTC
After the Prisma Access Upgrade:
Step 1 - Invalidate previously issued GlobalProtect Auth Override Cookies
If using GlobalProtect Authentication Override Cookies, the authentication override cookies issued prior to the Prisma Access upgrade may still be valid. To terminate those sessions and force the users to re-login, it is required to change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using Panorama and commit and push the changes.
After you have made the previous changes, Prisma Access automatically logs out old GlobalProtect user sessions, and the GlobalProtect App on the endpoint will re-authenticate the user to establish a new connection.
Stop here if you have completed the implementation of the solution to upgrade Panorama, NGFW, or VM-Series (including GlobalProtect).
Referenced Documentation
Verify that your IdP is signing SAML responses and/or assertions
- If you are using Microsoft ADFS, Microsoft Azure, Google Cloud Identity, OneLogin, PingFederate, or PingOne as your SAML IdP, proceed to the next step.
- If you are using Okta or any other IdP, verify that your IdP is signing SAML responses and/or assertions. As a security best practice, you must configure your IdP to sign the SAML response, the SAML assertion, or both.
SAML IdP Provider |
Action |
---|---|
|
SAML Responses and/or Assertions are signed. Proceed to the next step |
Okta |
Proceed to the next step if you have used any of the below Integrations on OIN(Okta Integration Network) to setup SAML profile
|
Duo Access Gateway |
Proceed to the next step if you are using Palo Alto Networks integration on Duo Access Gateway. |
Other IdPs | Please verify that you have configured your IdP to sign SAML responses, assertions, or both. |
Return to Solution without Upgrade
Return to Solution with Upgrade
Check if SAML IdP Server Profiles are set up with IDP certificate
Ensure that the IdP Certificate is configured across all SAML IdP profiles on the firewall and Panorama that are used to authenticate to GlobalProtect, Captive & Authentication Portals, and the administrative web interface.
- Verify that you have selected the Identity Provider Certificate that your IdP uses to sign SAML messages.
- If you do not have your Identity Provider (IdP) certificate available in the drop-down, you must add one. Use the instructions in Step 2 in this link.
Check if “Validate Identity Provider Certificate” is enabled
Ensure that Validate Identity Provider Certificate is configured across all SAML IdP profiles on the firewall and Panorama that are used to authenticate to GlobalProtect, Captive & Authentication Portals, and the administrative web interface. If this is enabled, no further actions are needed.
To enable Validate Identity Provider Certificate, you will need the signing certificate used by your IdP to be issued by a Certificate Authority (CA). While popular IdPs issue a self-signed certificate by default, they generally allow you to use a certificate issued by your CA. Some IdPs like Azure provide UI options to upload CA-issued certificates, and others like Okta need you to make API calls to use your own certificate. Talk to your IdP administrator to ensure that the IdP is configured correctly to enable this.
Here are a few helpful links to guide the conversation with your IdP administrator:
SAML IdP Provider |
Links |
---|---|
ADFS | Additional Guidance |
Azure AD | Additional Guidance |
Duo Access Gateway | Customers should upgrade to PAN-OS 8.1.15, 9.0.9, 9.1.3 or later. |
Google Cloud Identity | Customers should upgrade to PAN-OS 8.1.15, 9.0.9, 9.1.3 or later. |
Okta | Additional Guidance |
Ping One | Additional Guidance |
OneLogin | Additional Guidance |
Other IdPs | Once a CA-issued certificate has been configured on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this:
|
Return to Solution without Upgrade
Return to Solution with Upgrade