Contextual Intelligence Publishing - Palo Alto

Overview

Using Contextual Intelligence Publisher (CIP), Single Sign-On can be enabled for Palo Alto and non-managed devices. Once configured, end users will no longer need to authenticate to Palo Alto since the user credentials will be passed transparently from CIP. Integrating the two allows seamless identity-aware firewalling and greater ease of use for matching firewall traffic to individual users. The CIP integration currently provides the following values to Palo Alto:

  • Machine IP Address

  • Username

  • Domain (If user is on a Domain machine AND SafeConnect is set up for Domain Member single sign-on)

The purpose of this guide is to walk through the configuration requirements for sending identity information from CIP to Palo Alto.

Prior to working through this document, Palo Alto and SafeConnect must be installed and functional on the network. CIP must also be installed in the SafeConnect system.

Configure Palo Alto

Create a Role for SafeConnect

In the Palo Alto Console navigate to “Device Tab[Symbol]Administrative Roles” and create a new Admin Role with then name “SCAPI” and a description. The new profile needs only “User-ID Agent” enabled in the XML API tab as shown in the screenshots below:

images/download/attachments/7187002/PaloAltoCIP1.png

images/download/attachments/7187002/PaloAltoCIP3.png

Once the Role is created, it will appear in the list as shown below:

images/download/attachments/7187002/PaloAltoCIP4.png

Create a User for SafeConnect

The next step is to create a new user with the name “SafeConnect” and ensure that the password is recorded. Navigate to “Device Tab > Administrators” and create a new administrator. Change the “Role” radio button to “Role Based and then assigned the “SCAPI” profile that was just created as seen in the screenshot below.

images/download/attachments/7187002/PaloAltoCIP5.png

Once the user is created, it will be displayed in the Administrators list as show below. Ensure that the change is committed before moving to the next section.

images/download/attachments/7187002/PaloAltoCIP6.png

Enable User-ID for network Zones

Before Palo Alto will accept identity information, “User Identification” must be enabled for the zones where it will be used. To enable “User Identification”, navigate to “Network > Zones” and choose the interface(s) to enable. After choosing the zone, select the “Enable User Identification” checkbox.

images/download/attachments/7187002/PaloAltoCIP7.png

Click on “Commit” to save all changes to the running configuration

Generate the XML API key

In a web browser navigate to the URL (Substitute <PALO_ALTO_IP> with the actual IP address of the Palo Alto appliance and substitute <PASSWORD> with the password created above):

https://<PALO_ALTO_IP>/api/?type=keygen&user=SafeConnect&password=<PASSWORD >

The results will look similar to this:

images/download/attachments/7187002/PaloAltoCIP8.png

Record the API key for use in the next section. Page Break

Configure Contextual Intelligence Publisher

Once API access has been configured on Palo Alto, navigate to the SafeConnect Configuration at https://portal.myweblogon.com:8443/manage (portal.myweblogon.com can be replaced by the manager IP or a branded URL) and choose “Contextual Intelligence.” Click on “Add” and enter the following information:

  • Publisher: Palo Alto

  • Name: A name to describe where CIP is publishing Data.

  • URL: The URL of the Palo Alto appliance ( https://<PALO_ALTO_IP>/api/ ?)

  • Publish Interval: 1000ms is sufficient for most deployments

  • API Key: The API key from the previous section

  • Include HIP Report: This includes additional information, such as device type, in the export. Some Palo Alto license levels will cause the API message to be completely dropped if this is the case. This checkbox can be unchecked if only basic identity is needed or if there are problems recieving the API messages on the Palo Alto side.

Once everything is entered, click “Save”. Once save, data will start being published to Palo Alto.

images/download/attachments/7187002/image2017-9-13_13-40-41.png

Verify Integration

The integration can be validated by navigating to “Monitor > Logs > Traffic” from the Palo Alto interface. In the search field, search for “user.src neq ‘’”. The results will show all log entries that include a username.

Once the integration is complete, the username will be populated in all the logs, including Traffic, Threat, URL Filtering, and WildFire subscriptions. Logs will only be present for a module if there is a valid license.

*Note: For the purposes of validating the integration, “null” is considered a username. If no username is present the username column will simply be blank.

Troubleshooting

Not receiving updates

If Contextual Intelligence Publisher does not appear to be updating username information after following the steps above, the SafeConnect appliance may need to be added as a permitted IP for the management interface. To add SafeConnect as a permitted IP, navigate to “Device > Setup > Management > Management Interface Settings”. Once open, ensure the following items are present:

  • HTTPS is checked

  • All three User-ID flags are checked

  • The SafeConnect IP (Manager node in a cluster environment) is in the list of permitted IP addresses.

images/download/attachments/7187002/paloalto.png