Palo Alto Networks virtualized firewalls, called the VM-Series support the exact same next-generation firewall and advanced threat prevention features available in their physical form factor appliances, allowing customers to safely enable applications flowing into, and across their private, public and hybrid cloud computing environments. Automation features such as VM monitoring, dynamic address groups and a REST-based API allow developers and administrators to proactively monitor VM changes dynamically feeding that context into security policies, thereby eliminating the policy lag that may occur when the Virtual Machines change.
Consider the following use case:
A customer of Palo Alto Networks has firewalls protecting an insurance & claims Portal. The customer seeks an identity & access management platform with following key capabilities:
a) Onboard millions of existing users from existing internet-facing Directory Server
b) Provide a self registration capability for new customers with a new policy (individual or via employer)
c) Be able to detect portal sessions, and selectively enable enterprise applications in the Portal for customers, affiliates and partners alike.
The ForgeRock powered Palo Alto Networks solution provides all these key capabilities.
Users login to the Portal, protected by OpenAM distributed User Interface living in the DMZ. Upon successful authentication, OpenAM punches application-specific ports in the Palo Alto Networks firewall(s) on behalf of the user via the Palo Alto Networks User-ID API. This powerful real-time action instantly enables user access to Portal iFrames, AJAX widgets (etc) to make inbound API calls to retrieve live policy, insurance or claims content. When the user logs out of Portal, OpenAM instantly closes the application-specific ports via the Palo Alto Networks User-ID API. This real-time action instantly disables access to the specific applications for the user.
This page describes a simpler use case, wherein REST calls are used to log into OpenAM directly, triggering User-Id API calls in the backend to open and subsequently close application ports in the virtualized firewalls managed by Panorama.
All software used in this demo is on evaluation virtual appliances from Palo Alto Networks.
Download, install and configure Panorama 6 to connect to two 5.0.6 firewalls and two 6.0.0 firewalls. For this demo we shall only be using the 6.0.0 firewall.
Note that Panorama has to have the highest version always. The managed firewalls can be the same version as Panorama or older.
Finally, Panorama 6 needs to be run on a 64 bit ESXi host.
Generate an API key that needs to be sent with every REST call using the endpoint: http(s)://hostname/api/?type=keygen&user=username&password=password
Note that the API returns separate keys each time a keygen query is run. All of the returned keys are valid.
When installations and configurations are done, you should see the virtualized firewalls in a connected state from the Panorama interface:
Write a post authentication plugin (PaP) in OpenAM that uses the Palo Alto Networks REST-based User-ID API to open up an application port in Panorama-managed firewalls.
The PaP creates a user-id mapping file under /tmp, such as the following:
<?xml version="1.0" encoding="UxTF-8"?> <uid-message> <payload><login> <entry blocksize="2" endport="8081" ip="10.0.61.20" name="demo" startport="8080"/></login> </payload> <type>update</type> <version>1.0</version> </uid-message>
The PaP uploads this XML file to the endpoint:
This article was first published on the OpenAM Wiki Confluence site: OpenaM and PaloAlto Networks