Managed Device Integration with a Palo Alto Networks Portal

Managed devices can leverage their networks' existing Palo Alto infrastructure to access more advanced security services, including antivirus services, malware detection and seamless integration with the Palo Alto Networks WildFireTM cloud-based threat detection.

Overview

Enable Palo Alto firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. integration on Mobility Master to securely redirect internet inbound traffic from managed devices into the PAN firewall Firewall is a network security system used for preventing unauthorized access to or from a private network.. Although this configuration setting can be used on a stand-alone Mobility Master, this feature can only be used in this types of deployments when used in conjunction with the Uplink VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. manager feature.

The uplink VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. manager is enabled by default on managed device uplinks. Stand-alone Mobility Masters using the PAN portal feature must enable the uplink VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. manager using the uplink command in the Mobility Master command-line interface.

Figure 1  Managed Device and PAN Firewall Integration

Integration Workflow

The following steps describe the work flow to integrate a managed device with a Palo Alto Networks Large-Scale VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. firewall Firewall is a network security system used for preventing unauthorized access to or from a private network..

  1. Palo Alto Portal certificates are installed on Mobility Master, and the managed device is configured with the Palo Alto portal IP address or FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet., Palo Alto certificate, and the username and password for device authentication using the Configuration > Services > External Services > PAN Portal section of the Mobility Master WebUI.
  2. The managed device is provisioned via Aruba Activate Aruba Activate is a cloud-based service that helps provision your Aruba devices and maintain your inventory. Activate automates the provisioning process, allowing a single IT technician to easily and rapidly deploy devices throughout a distributed enterprise network. and downloads its configuration (including Palo Alto Networks integration settings).
  3. The Palo Alto portal may be configured with the device number (a text string comprised of the device serial number followed by its MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address) of the managed device at each remote office site. This allows the managed device to bypass the username and password challenge to authenticate to the portal.
  4. The managed device initiates a secure connection to the Palo Alto portal. Once the managed device is authenticated, the Palo Alto portal sends the managed device a list of PAN gateways Gateway is a network node that allows traffic to flow in and out of the network. and priority levels. Once the managed device is authenticated, that device appears in the PAN satellite list, as shown in the figure below.

Figure 2  Palo Alto Networks Active Satellites List

  1. The managed device uses the Palo Alto Networks gateway Gateway is a network node that allows traffic to flow in and out of the network. list and credentials from the portal to contact all PAN gateways Gateway is a network node that allows traffic to flow in and out of the network.. Each PAN gateway Gateway is a network node that allows traffic to flow in and out of the network. sends the managed device information that allows the managed device to automatically create a secure IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel and exchange branch subnet Subnet is the logical division of an IP network. routes with each PAN gateway Gateway is a network node that allows traffic to flow in and out of the network..
  2. The managed device maintains a priority list of IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels to each PAN gateway Gateway is a network node that allows traffic to flow in and out of the network. to enable failover in the event a PAN gateway Gateway is a network node that allows traffic to flow in and out of the network. becomes unreachable.
  3. Policy-based routing ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. on the managed device selectively routes traffic to the PAN gateways Gateway is a network node that allows traffic to flow in and out of the network..
  4. Traffic redirected from the managed device is inspected via the Palo Alto Networks firewall Firewall is a network security system used for preventing unauthorized access to or from a private network..

Configuration Prerequisites

The Palo Alto Networks Large-Scale VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. framework can integrate with a managed device by establishing an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel between the firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. and the managed device. Integrating a Palo Alto Networks firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. with a  managed device requires that all user traffic is routed, so it can be managed by a policy-based routing access control list.

The following certificate requirements must be fulfilled before the managed device can integrate with the Palo Alto Networks Large-Scale VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. framework:

In deployments with multiple PAN firewalls Firewall is a network security system used for preventing unauthorized access to or from a private network., you must configure the PAN management portal with a list of gateways Gateway is a network node that allows traffic to flow in and out of the network. and the priorities for each PAN gateway Gateway is a network node that allows traffic to flow in and out of the network.. For more information, see Palo Alto Networks Firewall Integration. Even if the PAN management portal uses serial number registration with preregistered serial numbers or MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses, best practice is to configure LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network., Radius, Kerberos or Local Database authentication as well. This allows a managed device to authenticate to the portal even if the portal does not recognize the managed device's MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.

Configuring PAN Portal settings

Pan portal settings must be defined via a managed device (/md) configuration. The Mobility Master configuration node (/mm) does not support PAN portal settings.

The following procedure describes how to configure PAN Portal settings:

  1. From a Managed Network node hierarchy, navigate to the Configuration > Services > External Services tab.
  2. Expand the PAN Portal accordion.
  3. Define values for the configuration settings described in Table 1.

Table 1: PAN Portal Settings

Parameter

Description

Portal IP/FQDN

The IP address or FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the portal.

Trusted Certificate

Specify the name of the self-signed or external CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate to establish an SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. connection to the portal.

User Name

Username to authenticate to the Palo Alto Networks portal.

Password

Password to authenticate to the Palo Alto Networks portal.