Scribd
Upload
22 views40 pages

PANv11 FE Lab 03

Uploaded by

bhovibailu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views40 pages

PANv11 FE Lab 03

Uploaded by

bhovibailu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

PALO ALTO NETWORKS FIREWALL 11.

0 ESSENTIALS

Lab 3: Managing Firewall Administrator Accounts

Document Version: 2024-01-15

Copyright © 2024 Network Development Group, Inc.


www.netdevgroup.com

NETLAB+ is a registered trademark of Network Development Group, Inc.

Palo Alto Networks, PAN-OS, WildFire, RedLock, and Demisto are registered trademarks of Palo Alto Networks, Inc. All other marks mentioned herein may
be trademarks of their respective companies.
Lab 3: Managing Firewall Administrator Accounts

Contents
Introduction ................................................................................................................................................ 3
Objective ..................................................................................................................................................... 3
Lab Topology ............................................................................................................................................... 4
Theoretical Lab Topology ............................................................................................................................ 4
Lab Settings ................................................................................................................................................. 5
Lab Guidance............................................................................................................................................... 5
1 Managing Firewall Administrator Accounts – High Level Lab Steps................................................... 6
1.1 Apply a Baseline Configuration to the Firewall .......................................................................... 6
1.2 Create a Local Database Authentication Profile ......................................................................... 6
1.3 Create a Local User Database Account ....................................................................................... 6
1.4 Create an Administrator Account ............................................................................................... 6
1.5 Commit the Configuration .......................................................................................................... 6
1.6 Log in With New Admin Account ................................................................................................ 6
1.7 Configure LDAP Authentication .................................................................................................. 6
1.8 Commit the Configuration .......................................................................................................... 7
1.9 Log in With New Admin Account ................................................................................................ 7
1.10 Configure RADIUS Authentication .............................................................................................. 7
1.11 Commit the Configuration .......................................................................................................... 8
1.12 Log in With New Admin Account ................................................................................................ 8
1.13 Configure an Authentication Sequence ...................................................................................... 8
2 Managing Firewall Administrator Accounts – Detailed Lab Steps...................................................... 9
2.1 Load Lab Configuration ............................................................................................................... 9
2.2 Create a Local Database Authentication Profile ....................................................................... 12
2.3 Create a Local User Database Account ..................................................................................... 14
2.4 Create an Administrator Account ......................................................................................... 16
2.5 Configure LDAP Authentication ............................................................................................ 21
2.6 Configure RADIUS Authentication ........................................................................................ 29
2.7 Configure and Authentication Sequence .............................................................................. 38

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 2


Lab 3: Managing Firewall Administrator Accounts

Introduction

When you deploy the firewall into your production network, you need to make sure that other
members of your team have administrative access to the device. You want to leverage an existing LDAP
server that maintains account and password information for members of your team. However, your
organization recently merged with another company whose administrative accounts are maintained in
a RADIUS database.

No one has had time yet to migrate all the accounts from RADIUS into LDAP, so you need to configure
the firewall to check both LDAP and RADIUS to authenticate an account when an administrator logs in.

Objective

In this lab, you will perform the following tasks:

• Load a baseline configuration.


• Create a local firewall administrator account.
• Configure an LDAP Server Profile.
• Configure a RADIUS Server Profile.
• Configure an LDAP Authentication Profile.
• Configure a RADIUS Authentication Profile.
• Configure an Authentication Sequence.
• Create non-local firewall administrator accounts.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 3


Lab 3: Managing Firewall Administrator Accounts

Lab Topology

Theoretical Lab Topology

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 4


Lab 3: Managing Firewall Administrator Accounts

Lab Settings

The information in the table below will be needed in order to complete the lab. The task sections
below provide details on the use of this information.

Virtual Machine IP Address Account Password


(if needed) (if needed)

Client 192.168.1.20 lab-user Pal0Alt0!

DMZ 192.168.50.10 root Pal0Alt0!

Firewall 192.168.1.254 admin Pal0Alt0!

vRouter 192.168.1.10 root Pal0Alt0

Lab Guidance

There are two sections in this lab guide:


• High-Level Lab Steps
• Detailed Lab Steps
The High-Level Lab Steps section provides only general guidance and information about how to
accomplish the lab objectives. This section is more challenging and is suited for students who have a
working knowledge of Palo Alto Networks firewalls. If you have never worked with a Palo Alto
Networks firewall, we strongly encourage you to use the Detailed Lab Steps section.
The instructions in the Detailed Lab Steps section provide guided, detailed steps and screenshots to
accomplish the lab objectives.
If you decide to use the High-Level Lab Guide and get stuck, switch to the Detailed Lab Guide for
guidance.

You are not required to complete both the High-Level Lab Guide and the
Detailed Lab Guide for each lab. Instead, please select the appropriate section
based on your familiarity with Palo Alto Networks Firewalls.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 5


Lab 3: Managing Firewall Administrator Accounts

1 Managing Firewall Administrator Accounts – High Level Lab Steps

It is recommended to use this section if you possess significant experience in working with Palo Alto
Networks firewalls. In case you require more comprehensive instructions to achieve the objectives,
please utilize the Detailed-Lab Steps section in Task 2.

1.1 Apply a Baseline Configuration to the Firewall


• On the Zorin desktop, select lab-user, enter Pal0Alt0! for the password.
• For the Palo Alto Firewall, enter admin for the user and Pal0Alt0! for the password.
• Load and commit the configuration file - edu-210-11.0a-03.xml to the Firewall.

1.2 Create a Local Database Authentication Profile


• Create a Local Database Authentication Profile called Local-Database.
• Set the Allow List for the Local-Database Profile to all.

1.3 Create a Local User Database Account


• Create an entry in the Local User Database called adminBob with Pal0Alt0! as the Password.

1.4 Create an Administrator Account


• Create an Administrator account using the Local Database entry for adminBob.
• Set the Authentication Profile to Local-Database.

1.5 Commit the Configuration


• Commit the changes to the firewall before proceeding.

1.6 Log in With New Admin Account


• Log out of the firewall web interface and log back into the firewall with adminBob as the
Username and Pal0Alt0! as the Password.
• Use the System log to verify that the adminBob account was authenticated by the local-
database.
• Log out of the firewall and log back into the firewall with the admin/Pal0Alt0! credentials.

1.7 Configure LDAP Authentication


• Use the information in the table below to configure an LDAP Server Profile.
Profile Name LDAP-Server-Profile

Server Name ldap.panw.lab

LDAP Server IP Address 192.168.50.89

Port field 389

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 6


Lab 3: Managing Firewall Administrator Accounts

Server Settings Type Other

Base DN dc=panw,dc=lab

Bind DN cn=admin,dc=panw,dc=lab

Password / Confirm Password Pal0Alt0!

Require SSL/TLS secured connection unchecked

• Use the information in the table below to create an LDAP Authentication Profile.
Name LDAP-Auth-Profile

Type LDAP

Server Profile LDAP-Server-Profile

Allow List (Advanced Tab) all

• Use the information in the table below to create a new administrator account that will be
authenticated by LDAP.
Name adminSally

Authentication Profile LDAP-Auth-Profile

1.8 Commit the Configuration


• Commit the changes to the firewall before proceeding.

1.9 Log in With New Admin Account


• Test LDAP Authentication by logging in with the adminSally/Pal0Alt0! credentials.
• Use the System log to verify that the adminSally account was authenticated using LDAP.

1.10 Configure RADIUS Authentication


• Use the information in the table below to configure a RADIUS Server Profile.
Profile Name RADIUS-Server-Profile

Authentication Protocol CHAP

Server Name radius.panw.lab

RADIUS Server 192.168.50.150

Secret / Confirm Secret Pal0Alt0!

Port 1812

• Use the information in the table below to create a RADIUS Authentication Profile.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 7


Lab 3: Managing Firewall Administrator Accounts

Name RADIUS-Auth-Profile

Type RADIUS

Server Profile RADIUS-Server-Profile

Allow List (Advanced Tab) all

• Use the information in the table below to create a new administrator account that will be
authenticated by RADIUS.
Name adminHelga

Authentication Profile RADIUS-Auth-Profile

1.11 Commit the Configuration


• Commit the changes to the firewall before proceeding.

1.12 Log in With New Admin Account


• Test RADIUS Authentication by logging in with the adminHelga/Pal0Alt0! credentials.
• Use the System log to verify that the adminHelga account was authenticated using RADIUS.

1.13 Configure an Authentication Sequence


• Create an authentication sequence called LDAP-then-RADIUS that uses the LDAP-Auth-Profile
first and the RADIUS-Auth-Profile second.
• Commit the configuration.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 8


Lab 3: Managing Firewall Administrator Accounts

2 Managing Firewall Administrator Accounts – Detailed Lab Steps

It is recommended to use this section if you prefer detailed guidance to complete the objectives for
this lab. It is strongly recommended that you use this section if you do not have extensive experience
working with Palo Alto Networks firewalls.

2.1 Load Lab Configuration

In this section, you will connect to the Firewall and load the Firewall configuration file.

1. Click on the Client tab to access the Client PC.

2. On the Zorin desktop, click lab-user.

3. For the lab-user password, enter Pal0Alt0! and press Enter.

4. Double-click the Firefox Web Browser icon located on the Desktop.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 9


Lab 3: Managing Firewall Administrator Accounts

5. In the Firefox address field, type https://192.168.1.254 and press Enter.

6. Log in to the Firewall web interface as username admin, password Pal0Alt0!.

If you do not immediately see the login page, please wait an additional
1-3 minutes for the Firewall to fully initialize. If needed, refresh the
page.

7. Navigate to Device > Setup > Operations in the web interface and click on Load named
configuration snapshot underneath the Configuration Management section.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 10


Lab 3: Managing Firewall Administrator Accounts

8. In the Load Named Configuration window, select edu-210-11.0a-03.xml from the Name drop-down
box and click OK.

9. In the Loading Configuration window, a message will show Configuration is being loaded. Please
check the Task Manager for its status. You should reload the page when the task is completed. Click
Close to continue.

10. Click the Tasks icon located at the bottom-right of the web interface.

11. In the Task Manager – All Tasks window, verify the Load type has been completed. Click Close

12. Click the Commit link located at the top-right of the web interface.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 11


Lab 3: Managing Firewall Administrator Accounts

13. In the Commit window, click Commit to proceed with committing the changes.

14. When the commit operation is complete, click Close to continue.

The commit process takes changes made to the Firewall and copies
them to the running configuration, which will activate all configuration
changes since the last commit.

15. Leave the Palo Alto Networks Firewall open and continue to the next task.

2.2 Create a Local Database Authentication Profile

In this section, you will create a local database authentication profile. Local database profiles allow the
firewall to authenticate administrators who need access to the firewall web interface through Captive
Portal or GlobalProtect.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 12


Lab 3: Managing Firewall Administrator Accounts

1. In the PA-VM web interface, navigate to Device > Authentication Profile. Click Add at the bottom
of the window.

2. In the Authentication Profile window, under the Authentication tab, enter Local-Database for the
Name, for Type, use the drop-down list to select Local Database.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 13


Lab 3: Managing Firewall Administrator Accounts

3. Select the Advanced tab, in the Allow List section, click Add. Select All and click OK.

4. Leave the firewall web interface open to continue with the next task.

2.3 Create a Local User Database Account

In this section, you will create a new entry in the Local User Database on the firewall. This entry will be
for a new team member, adminBob.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 14


Lab 3: Managing Firewall Administrator Accounts

1. In the web interface, select Device > Local User Database > Users. In the bottom left corner of the
window, click Add. You may need to use the scroll bar to locate the Local User Database drop
down.

2. In the Local User window, type adminBob for the Name field. Enter Pal0Alt0! for Password and
Confirm Password. Click OK.

3. Leave the firewall web interface open to continue with the next task.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 15


Lab 3: Managing Firewall Administrator Accounts

2.4 Create an Administrator Account

In this task, you will create an administrator account for adminBob. The adminBob account will use the
Local-Database Authentication Profile.

1. In the web interface, select Device > Administrators. Click Add at the bottom of the window.

2. In the Administrator window, enter adminBob for the Name. For the Authentication Profile, select
Local-Database. Click OK.

Note that when you select Local-Database for the Authentication


Profile, there is no option to enter a Password for the administrator.
The password information for this account is maintained in the Local-
database on the firewall.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 16


Lab 3: Managing Firewall Administrator Accounts

3. Click the Commit button at the upper right of the PA-VM web interface.

4. In the Commit window, click Commit to proceed with committing the changes.

5. In the Commit Status window, click Close.

6. Log out of the firewall web interface by clicking the Logout button in the bottom left corner of the
window.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 17


Lab 3: Managing Firewall Administrator Accounts

7. In the Log In window, click Log In.

8. Log back into the firewall as username adminBob, password Pal0Alt0!. Click Log In.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 18


Lab 3: Managing Firewall Administrator Accounts

9. In the Welcome window, click Close.

10. Select Monitor > Logs > System. Look for an entry with Type > Auth. You may need to scroll
through the logs to find the auth type.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 19


Lab 3: Managing Firewall Administrator Accounts

Note that the entry in the firewall system log indicates that adminBob
was successfully authenticated against the Local-Database.

If you do not see an entry in the System log indicating a successful


authentication for adminBob, you can use a filter ( subtype eq auth )
as the syntax.

11. Log out of the Firewall.

12. In the Log In window, click Log In.

13. Log back into the firewall with the admin/Pal0Alt0! credentials.

14. Leave the firewall web interface open to continue with the next task.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 20


Lab 3: Managing Firewall Administrator Accounts

2.5 Configure LDAP Authentication

Your organization uses an LDAP server to maintain a database of users, including network
administrators. Your team of security personnel is growing each month and you want to leverage the
existing LDAP server to authenticate administrators when they attempt to log into the firewall.

The first step in this process is to define an LDAP server profile which contains specific information that
the firewall can use when sending queries for authentication.

1. In the web interface, select Device > Server Profiles > LDAP. At the bottom of the window, click
Add.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 21


Lab 3: Managing Firewall Administrator Accounts

2. In the LDAP Server Profile window, enter LDAP Server Profile for the Profile Name. Under the
Server List, click Add. Enter ldap.panw.lab for the Name, 192.168.50.89 for the LDAP Server,
and confirm 389 populates for the Port number.

3. In the Server Settings section, enter dc=panw,dc=lab for Base DN, enter
cn=admin,dc=panw,dc=lab for Bind DN, enter Pal0Alt0! for Password and Confirm Password
and uncheck Require SSL/TLS secured connection. Click OK.

With your LDAP Server Profile in place, you will now create an
Authentication Profile and reference the LDAP Server Profile you just
created.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 22


Lab 3: Managing Firewall Administrator Accounts

4. Verify the LDAP Server Profile is showing.

5. Select Device > Authentication Profile. Click Add.

6. In the Authentication Profile window, type LDAP Auth Profile for the Name. Select LDAP for the
Type and LDAP Server Profile for the Server Profile. Click Advanced.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 23


Lab 3: Managing Firewall Administrator Accounts

7. On the Advanced tab, in the Allow List, click Add. Select all and click OK.

8. Navigate to Device > Administrators and click Add.

9. In the Administrator window, type adminSally for the Name. Select LDAP Auth Profile for the
Authentication Profile. Click OK.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 24


Lab 3: Managing Firewall Administrator Accounts

The adminSally account is one which exists in the LDAP server.

10. Click the Commit link located at the top-right of the web interface.

11. In the Commit window, click Commit to proceed with committing the changes.

12. When the commit operation successfully completes, click Close to continue.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 25


Lab 3: Managing Firewall Administrator Accounts

13. Log out of the firewall web interface by clicking the Logout button in the bottom left corner of the
window.

14. In the Log In window, click Log In.

15. Log back into the firewall as username adminSally, password Pal0Alt0!. Click Log In.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 26


Lab 3: Managing Firewall Administrator Accounts

16. In the Welcome window, click Close.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 27


Lab 3: Managing Firewall Administrator Accounts

17. Select Monitor > System. Look for an entry with Type > Auth. You may need to scroll through the
logs to find the auth type.

Note that the entry in the firewall system log indicates that adminSally
was successfully authenticated against the LDAP Server.

If you do not see an entry in the System log indicating a successful


authentication for adminSally, you can use a filter ( subtype eq auth )
as the syntax.

18. Log out of the Firewall.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 28


Lab 3: Managing Firewall Administrator Accounts

19. In the Log In window, click Log In.

20. Log back into the firewall with the admin/Pal0Alt0! credentials.

21. Leave the firewall web interface open to continue with the next task.

2.6 Configure RADIUS Authentication

Your organization has recently acquired another company. The newly acquired company maintains all
network administrator accounts in a RADIUS server. You need to incorporate RADIUS authentication
for the firewall so the new network administrators who have joined your team can access the firewall
for management purposes.

For this section, you will configure RADIUS Authentication and test the user adminHelga can login in.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 29


Lab 3: Managing Firewall Administrator Accounts

1. Navigate to Device > Server Profiles > RADIUS. Click Add.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 30


Lab 3: Managing Firewall Administrator Accounts

2. In the RADIUS Server Profile window, enter RADIUS Server Profile for the Profile Name. For the
Authentication Protocol, select CHAP. Under the Servers section, click Add. For the server Name
field, enter radius.panw.lab. For the RADIUS Server field, enter 192.168.50.150. Enter
Pal0Alt0! for Secret and Confirm Secret. Leave the Port set to 1812. Click OK.

Never use CHAP in a production environment because it is not secure. We are


using it in the lab for the sake of simplicity.

3. Navigate to Device > Authentication Profile. Click Add.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 31


Lab 3: Managing Firewall Administrator Accounts

4. In the Authentication Profile window, enter RADIUS Auth Profile for the Profile Name. For the
Type, select RADIUS. For the Server Profile, select RADIUS Server Profile. Click the Advanced tab.

5. Under the Allow List, click Add. Select all and click OK.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 32


Lab 3: Managing Firewall Administrator Accounts

6. To test RADIUS Authentication, create an administrator account named adminHelga by selecting


Device > Administrators. Click Add.

7. In the Administrator window, enter adminHelga for the Name. For the Authentication Profile,
select RADIUS Auth Profile. Click OK.

8. Click the Commit link located at the top-right of the web interface.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 33


Lab 3: Managing Firewall Administrator Accounts

9. In the Commit window, click Commit to proceed with committing the changes.

10. When the commit operation successfully completes, click Close to continue.

11. Log out of the firewall web interface by clicking the Logout button in the bottom left corner of the
window.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 34


Lab 3: Managing Firewall Administrator Accounts

12. In the Log In window, click Log In.

13. Log back into the firewall as username adminHelga, password Pal0Alt0!. Click Log In.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 35


Lab 3: Managing Firewall Administrator Accounts

14. In the Welcome window, click Close.

15. Select Monitor > Logs > System. Look for an entry with Type > Auth. You may need to scroll
through the logs to find the auth type.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 36


Lab 3: Managing Firewall Administrator Accounts

Note that the entry in the firewall system log indicates that
adminHelga was successfully authenticated against the RADIUS
Profile.

If you do not see an entry in the System log indicating a successful


authentication for adminHelga, you can use a filter ( subtype eq auth )
as the syntax.

16. Log out of the Firewall.

17. In the Log In window, click Log In.

18. Log back into the firewall with the admin/Pal0Alt0! credentials.

19. Leave the firewall web interface open to continue with the next task.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 37


Lab 3: Managing Firewall Administrator Accounts

2.7 Configure and Authentication Sequence

Since the acquisition, some administrator accounts exist in LDAP and other accounts exist in RADIUS.
With administrator accounts in these two different systems, you need to configure the firewall so that
it can check both external databases when an administrator attempts to log in.

In this section you will accomplish this by creating an Authentication Sequence. The sequence will
instruct the firewall to check an account against LDAP first and then against RADIUS if the account does
not exist in LDAP (or if the LDAP server is unavailable).

1. Navigate to Device > Authentication Sequence. Click Add.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 38


Lab 3: Managing Firewall Administrator Accounts

2. In the Authentication Sequence window, type LDAP then RADIUS for the Name. Under the
Authentication Profiles, click Add. Select LDAP Auth Profile. Click Add again and select RADIUS
Auth Profile. Click OK.

Note the Move Up and Move Down buttons. These allow you to
change the order of the Authentication Profiles if necessary. In this
example, the firewall will use the LDAP-Auth-Profile first when an
administrator logs in to attempt authentication; if the user account
does not exist in LDAP (or if the LDAP server is unavailable), the
firewall will use the RADIUS-Auth-Profile to attempt authentication.

3. Click the Commit link located at the top-right of the web interface.

4. In the Commit window, click Commit to proceed with committing the changes.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 39


Lab 3: Managing Firewall Administrator Accounts

5. When the commit operation successfully completes, click Close to continue.

6. The lab is now complete; you may end your reservation.

1/15/2024 Copyright © 2024 Network Development Group, Inc. www.netdevgroup.com Page 40

You might also like