pulse policy secure - nac | hybrid it | pulse secure · palo alto networks firewalls configured as...

Pulse Policy Secure

Palo Alto Networks Firewall Integration with Pulse Policy Secure – Comprehensive Context-Based Enforcement Deployment Guide

Product Release 5.3

Published October 2016

Document

Version

2.0

Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide

© 2016 by Pulse Secure, LLC. All rights reserved 2

Pulse Secure, LLC 2700 Zanker Road, Suite 200

San Jose, CA 95134 www.pulsesecure.net

Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered trademarks, or

registered service marks are the property of their respective owners.

Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or otherwise

revise this publication without notice.


The information in this document is current as of the date on the title page.

END USER LICENSE AGREEMENT

The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such software is

subject to the terms and conditions of the End User License Agreement (“EULA”) posted at www.pulsesecure.net. By downloading, installing or using such software,

you agree to the terms and conditions of that EULA.”

Palo Alto Networks, the Palo Alto Networks Logo, Palo Alto Networks Firewall, PAN-OS, User-ID, App-ID and Panorama are trademarks of Palo Alto Networks, Inc.

For additional information on Palo Alto Networks products, visit www.paloaltonetworks.com

http://www.pulsesecure.net/





Table of Contents Introduction .................................................................................................................................... 5

Customer Challenges ...................................................................................................................... 5

Comprehensive Context-based Enforcement ................................................................................ 5

Pulse Policy Secure Configuration .................................................................................................. 7

Configuring Palo Alto Networks Firewall Enforcers ........................................................................................... 7

Configuring Auth Table Mapping Policies............................................................................................................ 9

Palo Alto Networks Firewall Configuration .................................................................................. 11

Configuring User Identification on Security Zones ........................................................................................... 11

Configuring Dynamic Address Groups ............................................................................................................... 13

Configuring Security Policies ............................................................................................................................... 14

Troubleshooting ........................................................................................................................... 16

Unsupported Features .................................................................................................................. 16



Table of Figures Figure 1: User Flow System Graphics ............................................................................................................................. 6

Figure 2: Infranet Enforcer ............................................................................................................................................. 7

Figure 3: Palo Alto Networks Firewall ............................................................................................................................ 8

Figure 4: API Key ............................................................................................................................................................ 8

Figure 5: Auth Table Mapping Policy ............................................................................................................................. 9

Figure 6: Palo Alto Networks Firewall Configuration ................................................................................................... 10

Figure 7: Enabling User Identification on a Zone ......................................................................................................... 12

Figure 8: Address Groups ............................................................................................................................................. 13

Figure 9: Security Policy Rule - Source Address Configuration .................................................................................... 14

Figure 10: Security Policy Rule - User Configuration ................................................................................................... 15

Figure 11: Completed Security Policy Rule .................................................................................................................. 15



Introduction Pulse Policy Secure, an industry recognized network access control (NAC) solution, offers easy-to-use, BYOD-

ready, context-aware secure access to protect network, core assets, applications, data, and more. Pulse Policy

Secure authenticates users, ensures that endpoints meet security policies, and then dynamically updates the

enforcement point (such as a firewall or switch) with the resulting user session information - including user

identity, IP address, and role.

Pulse Policy Secure version 5.3 integrates with the industry-leading next-generation firewall vendor Palo Alto

Networks to provide enhanced identity-enabled enforcement for BYOD and guests as well as enterprise

employees, with rich back-end authentication and comprehensive compliance checks. This document focuses on

how to deploy the integration of Pulse Policy Secure with Palo Alto Networks next-generation firewall.

Customer Challenges BYOD proliferation is challenging IT’s ability to deliver enterprise-grade security, manageability, and

interoperability. IT departments need complete visibility of all devices, whether managed or unmanaged, that are

accessing enterprise data and protected resources. Increasing use of mobile devices and BYOD policies require

uniform compliance enforcement for PCs and mobile devices regardless of ownership.

In a Palo Alto Networks firewall-enabled network, enterprises need to control access for BYOD and guest users.

Correlation of user identity information and application of granular role-based security policies are essential for

BYOD. To minimize security risk, Enterprise IT also requires device compliance checks for BYOD devices.

Comprehensive Context-based Enforcement Palo Alto Networks' next-generation firewall has a feature called User Identification (User-ID) that creates policies

and performs reporting based on users and groups rather than individual IP addresses.

To enforce the user and group based policies, the firewall must be able to map the IP addresses in the received

packets to user information. The Palo Alto Networks User-ID feature provides mechanisms to map these IP address

to usernames. The User-ID XML API is a RESTful API that uses standard HTTP requests to send and receive data.

Pulse Policy Secure uses the User-ID XML API to send the IP to User and IP to Group (Role) mapping information to

the Palo Alto Networks firewall.

The Palo Alto Networks firewall compares the user information against the tag that is associated to a particular

security rule. If the User Role name matches the tag, then traffic is either allowed or denied based on the

configuration.

When a user logs in, Pulse Policy Secure provisions their user ID, IP address of the endpoint, and role information

to the Palo Alto Networks firewall; that enables firewall policies based on any of these attributes to be enforced.

Similarly, when a user logs out, the user ID, IP address of the endpoint, and role information is removed from the



firewall. More importantly, when a user's role changes, the role change information is dynamically updated on the

firewall, so that access based on the updated roles is automatically changed based on the policy matched by the

new information.

Note: No persistent connection is maintained between Pulse Policy Secure and the Palo Alto Networks firewall, and no keep alives are sent. HTTP connections are initiated based on request from the client and the connection is terminated after serving the request.

Figure 1: User Flow System Graphics

With Palo Alto Networks firewall integration, all users' role changes, which includes compliance check failure or

unauthorized behavior are dynamically updated on the firewall. The access is based on user roles and not merely

on source IP addresses.

Pulse Policy Secure is the policy decision point that determines which users and endpoints can access protected

resources. Palo Alto Networks firewalls serve as the policy enforcement points to provide the ultimate protection

to ensure that network assets are secured.



Palo Alto Networks integration with Pulse Policy Secure leverages dynamic role information provisioned to the

firewall upon user session establishment and for the duration of the session. Pulse Policy Secure also

communicates user information to the Palo Alto Networks firewall when users log in or log out from their device.

Palo Alto Networks firewall integration with Pulse Policy Secure enables customers to achieve a stronger security

posture with unified access policies that extend from NAC/BYOD systems to their perimeter defenses. The

integration allows Palo Alto Networks’ customers to leverage Pulse Policy Secure’s extensive compliance options

and rich back-end AAA integration to implement stronger security.

Pulse Policy Secure Configuration The Pulse Policy Secure configuration requires defining a new Palo Alto Networks Firewall Infranet Enforcer

instance on Pulse Policy Secure and then fetching the API key from the firewall. The API key is used to

communicate between the Palo Alto Networks firewall and Pulse Policy Secure. The standard user authentication /

authorization configurations such as Auth Table Mapping Policies should also be created and associated with the

required roles.

Configuring Pulse Policy Secure with Palo Alto Networks Firewall

Enforcer To configure a Palo Alto Networks Firewall Infranet Enforcer in Pulse Policy Secure:

1. Select Endpoint Policy > Infranet Enforcer.

Figure 2: Infranet Enforcer



2. Click New Infranet Enforcer and select Palo Alto Networks Firewall in the Platform drop down.

Figure 3: Palo Alto Networks Firewall

3. Enter the Name and IP Address of the Palo Alto Networks firewall and then click Get API Key which opens a

new page.

Figure 4: API Key



4. Enter the Admin Username and Admin Password of the Palo Alto Networks firewall and then Click Retrieve.

This enables Pulse Policy Secure to fetch the API key of the firewall. Once the API key is retrieved, the page

automatically redirects back to the New Infranet Enforcer page as shown in Figure 3 and updates the API Key

Field.

5. Click Save Changes.

Configuring Auth Table Mapping Policies Pulse Policy Secure's default configuration includes one default auth table mapping policy. When the default auth

table mapping policy is enabled, Pulse Policy Secure pushes one auth table entry for each authenticated user to all

Palo Alto Networks firewalls configured as Infranet Enforcers. An auth table entry consists of the user’s name, a set

of roles, and the IP address of the wired, wireless, or virtual adapter. If your deployment includes a low and high

capacity Palo Alto Networks Firewall Enforcers, the lower capacity firewalls might reach the limit of concurrent

auth table entries and prevent additional users from accessing protected resources.

To configure an Auth Table Mapping Policy:

1. Select Endpoint Policy > Infranet Enforcer > Auth Table Mapping.

Figure 5: Auth Table Mapping Policy



2. Click New Policy.

Figure 6: Palo Alto Networks Firewall Configuration

3. On the New Policy page:

3.1. For Name, enter a name to label the auth table mapping policy.

3.2. (Optional) For Description, enter a description.

3.3. In the Enforcer section, specify the Infranet Enforcer firewall(s) to which you want to apply the auth table

mapping policy.

3.4. In the Roles section, specify:

Policy applies to ALL roles—Select this option to apply the auth table mapping policy to all users.

Policy applies to SELECTED roles—Select this option to apply the auth table mapping policy only

to users who are mapped to roles in the SELECTED roles list. You must add roles to this list from

the available roles list.

Policy applies to all roles OTHER THAN those selected below—Select this option to apply the auth

table mapping policy to all users except for those who map to the roles in the SELECTED roles list.

You must add roles to this list from the available roles list.

3.5. In the Action section, specify auth table mapping rules for the specified Infranet Enforcer.

Always Provision Auth Table—Select this option to automatically provision auth table entries for

chosen roles on the specified Infranet Enforcer.



Provision Auth Table as Needed—Select this option to provision auth table entries only when a

user with a chosen role attempts to access a resource behind the specified Infranet Enforcer. This

option is not supported on Palo Alto Networks Firewall Enforcers.

Never Provision Auth Table—Select this option to prevent chosen roles from accessing resources

behind the specified Infranet Enforcer.

4. You must delete the Default Policy if you configure any of your own auth table mapping policies. Policy Secure's default configuration includes this default auth table mapping policy that allows all source IP endpoints to use all Infranet Enforcers.

5. Click Save Changes.

Note:

Dynamic Auth Table Allocation - Auth table entries are always provisioned on the

Palo Alto Networks firewall.

Auth Table Timeout - The user information is always provisioned on the Palo Alto

Networks Firewall Enforcer.

Configuring Palo Alto Networks Firewall To use User-ID enforcement, you create security policies on the Palo Alto Networks firewall that allow traffic from

the endpoint to protected resources.

Note: Provisioning of Resource Access Policies from Pulse Policy Secure to the Palo Alto Networks Firewall Enforcer is not supported. You must configure the required security policies on the firewall.

Palo Alto Networks firewall detects traffic from an endpoint that matches a configured security policy using the

endpoint’s auth table entry. It determines the role(s) associated with that user, and allows or denies the traffic

based on the actions configured in the security policy.

The configuration on the Palo Alto Networks firewall includes creation of security zones, association of interfaces

to security zones, configuration of dynamic address groups, and association of dynamic address groups to security

policies.



Configuring User Identification on Security Zones To enable User-ID enforcement, you must enable User Identification on both inbound and outbound zones

traversed by the end-user traffic.

To enable User Identification:

1. Select Palo Alto Networks > Network > Zones.

2. For each zone that serves as an inbound or outbound zone for enforced traffic, click the zone name (For

example, trust, untrust, and so on).

3. Select Enable User Identification and then click OK.

Figure 7: Enabling User Identification on a Zone



Configuring Dynamic Address Groups To configure a dynamic address group:

1. Select Palo Alto Networks > Objects > Address Groups.

Figure 8: Address Groups

2. Click Add and enter a Name and a Description for the address group.

3. Select Type as Dynamic. Define the match criteria. You can select dynamic and static tags as the match criteria

to populate the members of the group.

4. Enter the role name of the users. The role name in the Match section should match the roles that are

configured in Pulse Policy Secure.

5. Click OK.

Note: Dynamic Discovery of users and their roles is not supported on Palo Alto Networks firewall.



Configuring Security Policies To configure security policies associated with dynamic address groups:

1. Select Palo Alto Networks > Policies > Security.

2. Click Add to create a new security policy rule. In the Source Address tab, select the previously-configured

address group.

Figure 9: Security Policy Rule - Source Address Configuration

3. In the User tab, enable known-user.



Figure 10: Security Policy Rule - User Configuration

Note: When the known-user is enabled, the resource access is revoked immediately once the user disconnects from Pulse Policy Secure.

4. Configure the other options to meet your security requirements. Traffic from the endpoint is allowed or

blocked based on the action chosen under the Action tab.

5. Click Commit to complete the configuration.

Figure 11: Completed Security Policy Rule



Troubleshooting You can use the Event Log and the User Access log on Pulse Policy Secure for troubleshooting issues with end user

access.

You can use the following CLI commands on the Palo Alto Networks firewall for troubleshooting:

• show user ip-user-mapping all— Displays the table of user identities mapped to IP addresses.

• show object registered-address all — Displays the table of addresses with user information associated.

Please see the product documentation for detailed information on these features.

Unsupported Features Pulse Policy Secure offers a wide range of features when integrating with Infranet Enforcers from multiple firewall

vendors. Infranet Enforcer features that are not supported with the Palo Alto Networks Firewall Enforcer in Pulse

Policy Secure 5.3 includes:

Captive Portal

IPsec Enforcement

IDP Sensors

Virtual Systems

Dynamic Auth Table Allocation

Enforcement for endpoints behind Network Address Translation (NAT)

Federated access across multiple policy servers / firewall enforcers

Federated single sign-on for Pulse Connect Secure tunneled traffic

pulse policy secure - nac | hybrid it | pulse secure · palo alto networks firewalls configured as...

Documents