Configuring Ivanti Policy Secure with PAN Firewall

This section covers the configuration of Ivanti Policy Secure for adding PAN firewall as an Infranet Enforcer.

Configuring PAN Infranet Enforcer in Ivanti Policy Secure

The Ivanti Policy Secure configuration requires defining a new Palo Alto Networks Firewall Infranet Enforcer instance on Ivanti Policy Secure and then fetching the API key from the firewall. The API key is used to communicate between the Palo Alto Networks firewall and Ivanti Policy Secure. The standard user authentication / authorization configurations such as Auth Table Mapping Policies should also be created and associated with the required roles.

To configure a Palo Alto Networks Firewall Infranet Enforcer in Ivanti Policy Secure:

  1. Select Endpoint Policy > Infranet Enforcer.

  2. Click New Infranet Enforcer and select Palo Alto Networks Firewall in the Platform drop down.

  3. Enter the Name and IP Address of the Palo Alto Networks firewall and then click Get API Key which opens a new page:

  4. Enter the Admin Username and Admin Password of the Palo Alto Networks firewall and then Click Retrieve. This enables Ivanti Policy Secure to fetch the API key of the firewall. Once the API key is retrieved, the page automatically redirects back to the New Infranet Enforcer page as shown above and updates the API Key Field.
    See Configuring PAN Device Certificates for understanding the validation procedure.

  5. Click Save Changes.

Configuring Auth Table Mapping Policies

An auth table entry consists of the user’s name, a set of roles, and the IP address of the wired, wireless, or virtual adapter. An auth table mapping policy specifies which enforcer device can be used for each user role. These policies prevent the Ivanti Policy Secure from creating unnecessary auth table entries on all connected enforcer devices.

Ivanti Policy Secure(Ivanti Policy Secure)’s default configuration includes only one default auth table mapping policy. When the default auth table mapping policy is enabled, Ivanti Policy Secure pushes one auth table entry for each authenticated user to all Palo Alto Networks firewalls configured as Infranet Enforcers in Ivanti Policy Secure.

To configure an Auth Table Mapping Policy:

  1. Select Endpoint Policy > Infranet Enforcer > Auth Table Mapping and click New Policy.

  2. On the New Policy page:

    • For Name, enter a name to label the auth table mapping policy.

    • (Optional) For Description, enter a description.

    • In the Enforcer section, specify the Infranet Enforcer firewall(s) to which you want to apply the auth table mapping policy.

    • In the Roles section, specify:

    • Policy applies to ALL roles—Select this option to apply the auth table mapping policy to all users.

    • Policy applies to SELECTED roles—Select this option to apply the auth table mapping policy only to users who are mapped to roles in the SELECTED roles list. You can add roles to this list from the available roles list.

    • Policy applies to all roles OTHER THAN those selected below—Select this option to apply the auth table mapping policy to all users except for those who map to the roles in the SELECTED roles list. You can add roles to this list from the available roles list.

    • In the Action section, specify auth table mapping rules for the specified Infranet Enforcer.

    • Always Provision Auth Table—Select this option to automatically provision auth table entries for chosen roles on the specified Infranet Enforcer.

    • Provision Auth Table as Needed—Select this option to provision auth table entries only when a user with a chosen role attempts to access a resource behind the specified Infranet Enforcer. This option is greyed out for Palo Alto Networks Firewall Enforcers since it is not supported.

    • Never Provision Auth Table—Select this option to prevent chosen roles from accessing resources behind the specified Infranet Enforcer.

  3. You must delete the Default Policy if you configure any custom auth table mapping policies. Ivanti Policy Secure's default configuration includes this default auth table mapping policy that allows all source IP endpoints to use all Infranet Enforcers.

  4. Click Save Changes.