Configuring IPS with PAN Firewall
This section covers the configuration of IPS for adding PAN firewall as an Infranet Enforcer.
Configuring PAN Infranet Enforcer in IPS
The IPS configuration requires defining a new Palo Alto Networks Firewall Infranet Enforcer instance on IPS and then fetching the API key from the firewall. The API key is used to communicate between the Palo Alto Networks firewall and IPS. The standard user authentication / authorization configurations such as Auth Table Mapping Policies should also be created and associated with the required roles.
To configure a Palo Alto Networks Firewall Infranet Enforcer in IPS:
- Select Endpoint Policy > Infranet Enforcer.
- Click New Infranet Enforcer and select Palo Alto Networks Firewall in the Platform drop down.
- Enter the Name and IP Address of the Palo Alto Networks firewall and then click Get API Key which opens a new page:
- Enter the Admin Username and Admin Password of the Palo Alto Networks firewall and then Click Retrieve. This enables IPS to fetch the API key of the firewall. Once the API key is retrieved, the page automatically redirects back to the New Infranet Enforcer page as shown above and updates the API Key Field.
See Configuring PAN Device Certificates for understanding the validation procedure. - Click Save Changes.
Configuring Auth Table Mapping Policies
An auth table entry consists of the user's name, a set of roles, and the IP address of the wired, wireless, or virtual adapter. An auth table mapping policy specifies which enforcer device can be used for each user role. These policies prevent the IPS from creating unnecessary auth table entries on all connected enforcer devices.
IPS's default configuration includes only one default auth table mapping policy. When the default auth table mapping policy is enabled, IPS pushes one auth table entry for each authenticated user to all Palo Alto Networks firewalls configured as Infranet Enforcers in IPS.
To configure an Auth Table Mapping Policy:
- Select Endpoint Policy > Infranet Enforcer > Auth Table Mapping and click New Policy.
-
On the New Policy page:
- For Name, enter a name to label the auth table mapping policy.
- (Optional) For Description, enter a description.
- In the Enforcer section, specify the Infranet Enforcer firewall(s) to which you want to apply the auth table mapping policy.
- Under Enforcement Settings, Admin can enable Provision only IP-User mapping to Palo Alto Networks Enforcer to provision only the IP-user mapping information to Palo Alto Networks firewall.
This option is available only with Palo Alto Networks Enforcer.
If you are using group lookup (LDAP group from AD server) in the Palo Alto Networks security policy then enable “Provisioning only IP-User information to Palo Alto Networks Enforcer” in Ivanti Policy Secure to control resource access.
- In the Roles section, specify:
- Policy applies to ALL roles-Select this option to apply the auth table mapping policy to all users.
- Policy applies to SELECTED roles-Select this option to apply the auth table mapping policy only to users who are mapped to roles in the SELECTED roles list. You can add roles to this list from the available roles list.
- Policy applies to all roles OTHER THAN those selected below-Select this option to apply the auth table mapping policy to all users except for those who map to the roles in the SELECTED roles list. You can add roles to this list from the available roles list.
- In the Action section, specify auth table mapping rules for the specified Infranet Enforcer.
- Always Provision Auth Table-Select this option to automatically provision auth table entries for chosen roles on the specified Infranet Enforcer.
- Provision Auth Table as Needed-Select this option to provision auth table entries only when a user with a chosen role attempts to access a resource behind the specified Infranet Enforcer. This option is greyed out for Palo Alto Networks Firewall Enforcers since it is not supported.
- Never Provision Auth Table-Select this option to prevent chosen roles from accessing resources behind the specified Infranet Enforcer.
- You must delete the Default Policy if you configure any custom auth table mapping policies. IPS's default configuration includes this default auth table mapping policy that allows all source IP endpoints to use all Infranet Enforcers.
- If you created a vsys on a PAN Enforcer, enter the ID of the vsys in the vsys text box. To view the enforcers or vsys that are associated with each policy, select Endpoint Policy > Infranet Enforcer > Auth Table Mapping. If no VSYS ID is provided in VSYS textbox, then auth table will be provisioned to default VSYS in PAN firewall.
- Enable Provision Auth Table for one-to-one NAT deployment to provision auth table entries for endpoints behind one-to-one NAT deployment. On enabling checkbox for “Provision Auth Table for one-to-one NAT deployment”, admin will be redirected to a confirmation page. Click Enable button to enable the setting.
- Click Save Changes.
Configuring Resource Access Policy
A resource access policy specifies which users are allowed or denied access to a set of protected resources. You can specify which users you want to allow or deny by choosing the roles for each resource access policy.
Resource Access Policy and IoT Policy Provisioning with Palo Alto Network’s Firewall works only with default device name localhost.localdomain configuration.
Each Resource Access Policy is configured with single VSYS information. For a selected PAN firewall if resource access policy needs to be pushed to multiple VSYS, multiple Resource Access Policy need to be created that is one policy for each VSYS.
To configure Infranet Enforcer resource access policies:
- Select Endpoint Policy > Infranet Enforcer > Resource Access Policy and click New Policy.
- On the New Policy page:
- For Name, enter a name to label this Infranet Enforcer resource access policy.
- (Optional) For Description, enter a description.
For Resources, specify the protocol, IP address, network mask, and port of each resource (or range of addresses) for which this Infranet Enforcer resource access policy applies, one per line. Do not insert any spaces in your entries, or the policy may not be applied correctly.
For IPv6 Resources, specify the protocol, IPv6 address and port of each resource (or range of addresses) for which this Infranet Enforcer resource access policy applies, one per line. Do not insert any spaces in your entries, or the policy may not be applied correctly.
You cannot specify a host name in a resource access policy. You can specify only an IP address. You can use TCP, UDP, or ICMP.
- Under Infranet Enforcer, specify the Infranet Enforcer to which this policy applies by using Add.
- Specify one of the following in the Roles section:
- Policy applies to ALL roles-To apply this Infranet Enforcer resource access policy to all users.
- Policy applies to SELECTED roles-To apply this Infranet Enforcer resource access policy only to users who are mapped to roles in the Selected roles list. You must add roles to this list from the Available roles list.
- Policy applies to all roles other than those selected below- To apply this Infranet Enforcer resource access policy to all users except those who map to the roles in the Selected roles list. You must add roles to this list from the Available roles list.
- In the Action section, specify whether you want to use this Infranet Enforcer resource access policy to allow or deny access to the specified resources.
- If you have created a vsys on PAN Enforcer, enter the ID of the vsys in the VSYS text box, if applicable.
If no VSYS ID is provided in VSYS textbox, then policy will be pushed to default VSYS in PAN firewall.
The Infranet Enforcer > Resource Access Policy page displays the Enforcers and/or vsys that are associated with each policy.