Firewall Authentication and Authorisation
Administrator Accounts And Roles
Authenticate local or remote
Admin account assigned a role with privileges
Administrator actions logged in config and system logs Monitor>Logs
Only the predefined admin account has access to the firewall. add administrator accounts for delegation and auditing purpose.
PAN-OS OS for local or ...supported Authentication/authorisation and accounting Services like active directory, LDAP, RADIUS, SAML.
XML config or database
To create a local administrator account:
- Create an Admin Role Profile.
- Create a local administrator account.
To create a non-local administrator account:
- Create an Admin Role Profile.
- Create a Server Profile.
- Create an Authentication Profile.
- Create an authentication sequence (optional).
- Create a non-local administrator account.
Supports 3 authentication services local, external and (multi) MFA
Local with DB (monitors user traffic flowing through the firewall) and local without DB (XML file), can not authenticate user traffic. 5 external services Kerberos. LDAP, RADIUS, TACACS+ and SAML.
Can use and supports 4 MFA for sensitive services and applications (using for example a verification code.
An Authentication Profile is used for all bar local no db.
When Are Users Authenticated?
Users Connecting to Firewall Services ... to the firewall .. verifies user credentials before granting access to services running
Users Connecting to Network Resources ... through the firewall.. authentication policy to prompt users for their credentials before the firewall grants access to network services.
Configure Authentication “to” the Firewall
Authentication Profile defines the authentication service that validates the login credentials. To individually configure each user with an authentication service, assign an Authentication Profile to a user account when you add the user account to the firewall.
Configure Authentication “Through” the Firewall
Assign an Authentication Profile to an Authentication policy via an authentication enforcement object..
User Authorization “to” and “Through” the Firewall
Use Admin Role Profiles
There are 2 types of Admin Role Profiles. Dynamic Admin Role Profiles are built in and have a predefined .. permissions control web interface, CLI command, XML API and REST API... Role Based Admin Role Profiles are custom roles you can configure for more granular access control over the functional areas of the web interface, CLI command, XML API and REST API.
Dynamic Admin Roles
6 Dynamic Admin Roles.. predefined privileges that cannot be manually modified in their permissions
Create Custom Role-Based Admin Roles
..custom privileges that you assign to administrative user accounts on the firewall. Role based privileges on the Command Line tab are predefined. No customization is possible. As None, Superuser, superreader, deviceadmin, devicereader
Create a local firewall administrator account
Create a Local (Non-Database) Administrator Account
Device > Administrators > Add
The web interface assumes a local account and prompts for a password when you do not select an Authentication Profile.
Device > Setup > Management > Minimum Password Complexity ... for password aging.
Create a User in the User Database
Device > Local User Database > Users > Add
Create a Local Database Authentication Profile
Device > Authentication Profile > Add
Go to Authentication tab..... Select Local Database
Authentication Profile: Advanced Tab
Device > Authentication Profile
from the Advanced tab ... select all rather than specify a long list of specific users and groups. other options are ..Failed Attempts option in the Account Lockout section.
for Factors tab MFA is used
Create an Administrator Account from a Local Database User
Device > Administrators > Add
Create a non-local firewall administrator account
Device > Administrators > Add
Firewall Authentication of Non-Local Passwords
Server Profile:
Authentication Profile:
..Communicate with authentication server
Authentication Sequence:
Configure Server Profiles
Device > Server Profiles
Configure Authentication Profiles
Device > Authentication Profiles
Configure an Authentication Sequence
Device > Authentication Sequence > Add
Create a firewall administrator account for non interactive login
Create an Administrator Account for Non Interactive Login
Administrator Authentication Methods
- Password Authentication (Interactive)
- Certificate Based Authentication (Non Interactive)... based authentication is available only when the firewall web interface is accessed, NOT CLI
import the certificate into the browser on your administrative workstation. Note that configuration of certificate based authentication for any administrator automatically will disable the username and password logins for all administrators on the firewall. The administrators will require a certificate to authenticate
User Certificate
Configure a Certificate Profile
Device > Certificate Management > Certificate Profile > Add
Configure Firewall Authentication Settings
Device >Setup > Management > Authentication Settings
Enables the firewall to verify client certificates using the Certificate Profile
Create an Administrator Account for Non-Interactive Login
Device > Administrators > Add
Select the Use only client certificate authentication (Web) check box to configure the firewall to use certificate based authentication for this user. Use of certificate
Firewall Administrator Accounts Question And Answers
1. Global user authentication is not supported by which authentication service?
TACACS +
SAML
RADIUS
LDAP
LDAP is not supported by authentication service.
2. It is true that on the Next Generation firewall, a commit lock blocks other administrators from committing changes until all of the locks have been released.
3. It is true that Server Profiles define connections that the firewall can make to external servers.
4. It is true that Certificate-based authentication replaces all other forms of either local or external authentication.
5. When creating a custom admin role, which type of privileges can not be defined?
REST API
XML API
Panorama
Command Line
WebUI
Panorama can not be defined when creating a custom admin role.
6. When creating PAN-OS firewall administrator accounts, which configuration step is required for Non-Local Administrators, but not for Local Administrators?
Authentication Profile
Directory Services Replication
Authentication Sequence
API Interface
Authentication Profile are required when for Non-local Admins
7. When resetting the PAN-OS firewall to factory defaults, you can save all configuration settings and logs by performing the following:
NO. Executing the CLI command when in maintenance mode: rebuild/FactoryReset
No Selecting 'yes' when prompted
No Pressing Shift-C when prompted
None of the above
8. Which built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems?
Custom role
superuser
vsysadmin
deviceadmin
deviceadmin does not allow creation of other admins acc and virtual systems
9. Which built-in role on the Next Generation firewall is the same as superuser except for creation of administrative accounts?
sysadmin
deviceadmin
vsysadmin
devicereader
deviceadmin is the same a superuser except for creation of admin accounts
10. Which of the following is NOT a PAN-OS Firewall Administrator Dynamic Role?
Device administrator (read-only) Yes
Local only administrator This is not
Virtual system administrator Yes
Superuser Yes
Local only administrator is not a PAN-OS Dynamic role
11. Which role-based privilege allows full access to the Palo Alto Networks firewall, including defining new administrator accounts and virtual systems?
devicereader
superuser
superreader
deviceadmin
the superuser role-based privilege allows full access to the Palo Alto Networks firewall, including defining new administrator accounts and virtual systems
Comments