Deployment of Ivanti Policy Secure/Ivanti Connect Secure using PAN Next Generation Firewall
In a federated enterprise, a user can log in to a Ivanti Policy Secure or Ivanti Connect Secure device (remote access) for authentication and access the resource protected by the PAN Firewall. The session information is shared across Ivanti Policy Secure or Ivanti Connect Secure device using IF-MAP protocol through IF-MAP server.
The PAN Firewall controls the Ivanti Policy Secure and Ivanti Connect Secure user's access to protected resources based on the policy settings. The IF-MAP server receives the session information of multiple Ivanti Policy Secure and Ivanti Connect Secure and provisions user identity information to Firewall. The federation requires provisioning of user’s information on the PAN Firewall and allows access to the protected resource based on the resource access policies that are configured on Ivanti Policy Secure.
The authentication process is described below:
-
The remote user establishes VPN tunnel using vanti Secure Access Client and the role is granted to the user based on policy configured on Ivanti Connect Secure.
-
Ivanti Connect Secure session is exported to IF-MAP server.
-
IF-MAP server provisions user identity details to PAN Firewall.
-
-
The remote user tries to access PAN firewall protected resource. PAN Firewall allows access to protected resource if the user is authorized.
-
User's role changes while logged in (for example, when Host Check compliance change causes role(s) to change). In this case, user's new role(s) are sent to PAN Firewall.
-
User logs out of Ivanti Connect Secure. In this case, all information associated with the user from that endpoint is removed from the Firewall. User is denied access to protected resources by Firewall.
The same workflow applies to local users connecting through Ivanti Policy Secure.