Read-only Panorama administrator using AZURE GROUP MAPPING! Setup Azure Authentication and Authorization for the Panorama Admin GUI using SAML
@yusmaribriones365820 күн бұрын
Thank you for the super well explained tutorial, I used it for a Palo Alto Firewall in standalone, now I have a doubt if this in HA should be a meta file for each FW (Active and Passive management IP), thanks for your help!🙏
@netsums20 күн бұрын
Hi. Thank you for the comment. You only need to import the Metadata once, both firewalls synchronize the configuration.
@bradywang2050Ай бұрын
Nice Video! How about multiple group mapping, like full access group and read-only group? Thanks.
@netsumsАй бұрын
Thank you. In this case you need a second admin role with a read only profile. Take a look at the video starting at minute 11:33.
@kishortp20 күн бұрын
Thanks for blessing us with this video. I do have 1 doubt. Im using standalone firewalls which are active-passive mode. In the identifier do i have to add both my fqdns and i can import the same metadata on both the firewall? Is that the correct step?
@netsums17 күн бұрын
I'm almost sure the URLs are not in the Metadata, because you can change them and you don't need to upload a new Metadata. So in your case, you should import the same Metadata to both firewalls and configure 2 URLs on your IdP, as you mentioned. But how does your active/passive work? Do you use DNS for that?
@kishortp16 күн бұрын
@@netsums Thanks for your reply. Yes I do have an internal dns server and the i have pointed my firewall urls to my local firewall ip's. 1 more query: Regarding the roles, Is it possible to configure 2 roles. Because In my setup i require both read only and write permission.
@netsums16 күн бұрын
Yes, you can use the menu Admin Roles on Panorama to create the roles you need.
@kishortp15 күн бұрын
@@netsums Thanks again mate
@Gabriel-gbl132 ай бұрын
Great Video! Could you help me with a problem? I configured all these steps like in the video but when i try to login the application redirects me to internal ip off my panorama and i cannot access my application because it is on a private environment. I tried to change my identity url but the error occurs anyway.
@netsumsАй бұрын
Sorry for the late reply. You should be able to access your Panorama, even if it's on a private environment. Your IdP doesn't need to access your Panorama, only the client trying to authenticate.
@shakarchy10 ай бұрын
can you please do a video for traffic steering setup in Prisma
@netsums10 ай бұрын
Hi. Thank you for the request, I will keep that in mind.
@ashrafkasem60963 ай бұрын
Hi, But how this will work, and we have a private IP in our firewall management interface? how azure will communicate with this private IP? and in the azure is it okay to add the private IP of my firewall?
@netsums2 ай бұрын
Hi. Yes, it's okay to use a private address with Azure. Azure doesn't communicate directly with the firewall, your browser gets redirected to Azure and then back to the firewall.
@terranceteo41063 ай бұрын
can i implement this to my palo alto firewall aswell?
@netsums3 ай бұрын
Yes, you should be able to implement it also without having to use Panorama
@ronshah5765 ай бұрын
I see in identifier you added fqdn of your panorma. Does that mean this aad needs access to the fqdn of panorama ? Because my panorma is in private ips space today
@netsums5 ай бұрын
Azure Active Directory doesn't need access to your Panorama. When you try to login, Panorama makes a redirect to login.microsoftonline.com. After you authenticate yourself, your browser gets redirect back to Panorama (of course, if your configuration has been done correctly). So your client needs to have access to Panorama (or firewall), not Azure. If you want to use IP instead of FQDN, you should use the IP you use to access Panorama. Even if it's a private one, it should work.
@ronshah5764 ай бұрын
@@netsums ok thankyou final question. after I imported the saml xml file and then when I try to edit again to edit the SLO url, I get error on identity provider certificate. How to get that ? I tried to create self-sign on the palo but it didn’t work for this
@netsums4 ай бұрын
Have you tried editing the SLO URL (Logout URL) on Azure first (instead of on the Palo), than exporting the XML?
@ronshah5764 ай бұрын
@netsums didn’t do anything more other then the steps mentioned before importing to Palo Alto. Steps- 1) entered those three urls on saml config on azure 2) added claim mappings 3) downloaded the xml file and imported
@netsums4 ай бұрын
There is a fourth url in Azure further to the bottom, called Logout URL. If I understood correctly, you didn't set that one in Azure, but you're changing it on the Palo Alto. Try setting that fourth Url on Azure and after that exporting the XML again. Let me know if it worked
@nathianmorgan194610 ай бұрын
Hi. We currently have saml setup for admin access whilst we roll out. can you have read only users and admin users groups but still using the same registered app?
@netsums10 ай бұрын
I don't really understand your question. What do you mean with "sam registered app"? Can you give me an example?
@nathianmorgan194610 ай бұрын
So with have sso set up into panorama. At the moment tho is just with admin permissions for admins. Can you have read only permissions set for other users but whilst still have admin access for admins all done through the same enterprise registered app in azure. ?
@netsums10 ай бұрын
If I understood your question correctly, you want a set of Azure users to have read-write permissions to Panorama and another set of users to have read-only access. As I explained in the video, you can control the access through the group membership in Azure (for example, users in group admin have access to all the features and and group readonly have only read-only access). The Palo Alto analyses the group passed from Azure and matches them to the configured admin roles to set the user roles. In the video I only gave an example with one Azure group, but you can configure several, if you need.