• Kiếm tiền với Hostinger

    Kiếm Tiền Cùng Hostinger

    Bạn đang tìm kiếm cách kiếm thêm thu nhập online? Hãy tham gia ngay chương trình Affiliate của Hostinger! Với mỗi khách hàng đăng ký thông qua liên kết của bạn, bạn sẽ nhận được khoản hoa hồng hấp dẫn.

    Hostinger cung cấp các dịch vụ lưu trữ web (hosting) chất lượng cao với mức giá cạnh tranh, giúp bạn dễ dàng giới thiệu và thu hút người dùng.

    Đừng bỏ lỡ cơ hội tuyệt vời này để tăng thêm thu nhập thụ động.

    Tham Gia Ngay

(Palo Alto) Instructions for synchronizing users from AD Server with User-ID

TigerDao

Administrator
Thành viên BQT
1. Purpose of the article:

– This article will guide us how to synchronize Users from AD with the Palo Alto Firewall device so that we can easily manage users through the user they are using.​
(IMG)

2. Network diagram, scenarios and configuration steps:

2.1 Network diagram: The network diagram will have the following devices and network information:​
(IMG)

– Gate Ethernet1/1 of Palo Alto will be the WAN port to the internet via PPPoE protocol, and gateway Ethernet1/3 with ip 172.16.16.1/24 will be the LAN port.
(IMG)
– In the LAN we have an AD server named Testlab.com has IP: 172.16.16.100/24 and 1 Windows 10 PC (IP: 172.16.16.200), has john domain testlab.com and are logged in with your account michael belongs to the group support and this group currently belongs to OU IT.​
(IMG)


2.2 Configuration situations:
– We will perform Sync from the server AD Testlab.com Go to Palo Alto and configure policies to allow internet access based on synchronized users.​


2.3 Steps to take:​

  1. Configure Service Features
  2. Enable User Identification feature on LAN zone.
  3. Configure LDAP Server Profile.
  4. Configure User Mapping.
  5. Configure Group Mapping Settings
  6. Configure Authentication Profile
  7. Create a Security Policy and check the results.

3. Configuration instructions:
3.1 Configure Service Features:
– First we need configuration Service Features to route some services to the port connecting to the AD server.
– Here we will route services like DNS, Kerberos, LDAP,UID Agent.
– Go to section Device > Setup > Service > Service Features > Service Route Configuration.
– Table Sservice Route Configuration check box appears Customize.
(IMG)



– To configure the Service We left click on the service we need to configure, here we select DNS, table Service Route Source appears and we will select the port ethernet1/3 live Source Interface and stay Source Address will automatically display the port’s IP ethernet1/3 To be 172.16.16./24. Click OK to save.​
(IMG)



– The Service The rest we do the same.​
(IMG)

(IMG)

(IMG)
– Next, click OK at the table Service Route Configuration to save.​


3.2 Enable User Identification feature on LAN zone:
– To Sync users from AD server we need to enable the feature User Identification above Zone There are workstations that have joined the domain, here we will enable this feature on the LAN zone.
– To configure Network > Zones > click zone LAN > Zone tab appears > tick Enable User Identification > click OK to save.​
(IMG)



3.3 Configure LDAP Server Profile:
– To create a new path: Device > Server Profiles > LDAP > click Add and set additional information as follows:​
  • Profile Name: lab-active-directory
  • Server List: click Addimport Name: DC01, LDAP Server: 172.16.16.100, Port: 389.
  • Part Server Settings:
    • Type: select active-directory.
    • Base DN: DC=testlab,DC=com.
    • Bind DN : administrator@testlab.com
    • Password + Confirm Password: enter the account password Administrator.
    • Bind Timeout : 30
    • Search Timeout : 30
    • Retry Interval : 60
    • Required SSL/TLS secured connection: uncheck if available.
  • Click OK to save.
(IMG)



3.4 User Mapping configuration:
– To configure Device > User Identification > User Mapping.
– We have 3 parts that need to be configured: Palo Alto Networks User-ID Agent Setup, Server Monitoring, Include/Exclude Networks.
– In section Palo Alto Networks User-ID Agent Setup Click on the wheel icon on the right, a configuration panel will appear and need to configure the following parameters.
– Tabs Server Monitor Account:​

  • User Name: testlab.com\Administrator
  • Password and Confirm Password: Enter the password of the administrator account in these 2 boxes
  • Kerberos Server Profile: None



(IMG)


– Tabs Server Monitor :​

  • Enable Security Log: tick to activate
  • Server Log Monitor Frequency (sec): 2
  • Enable Session: uncheck
  • Server Session Read Frequency (sec): ten
  • Novell eDirectory Query Interval (sec): 30
  • Syslog Service Profile: None



(IMG)


– Tabs Client Probing:​

  • Enable Probing : check
  • Probe Interval (min): 5



(IMG)


– Tabs Cache :​

  • Enable User Identification Timeout: tick to activate
  • User Identification Timeout (min): 120
  • Allow matching usernames without domains: uncheck
  • Click OK to save.



(IMG)

– Next is the configuration Server Monitoringclick Add board User Identification Monitored Server appears and configure the following parameters:

  • Name: TESTLAB
  • Check Enable
  • Type : Microsoft Active Directory
  • Transport Protocol : WMI
  • Network Address : 172.16.16.100
  • Click OK to save.



(IMG)



– Finally, configure the item Include/Exclude Networksclick Add tab Include Exclude Network appears and set the following parameters:​

  • Name: All
  • Check Enable
  • Discovery: Include
  • Network Address: 0.0.0.0/0
  • Click OK to save.



(IMG)



– After configuration is complete, we will see in Server Monitoringthe status of the server we connected to is displayed Connected.​
(IMG)



3.5 Configure Group Mapping Settings:
– Go to the page Device > User Identification > Group Mapping Settings > click Add > in tabs Group Mapping set additional information in Server Profile, Group Incude List.
– Tabs Server Profile:​

  • Name: TESTLAB
  • Server Profile: select lab-active-directory
  • User Domain: testlab.com
  • Object Class (Gourp Object):group
  • Object Class (User Object): person
  • Check Enable



(IMG)


– Tabs Group Include List:​

  • In the tree DC=testlab,DC=com Click to expand the list OU, Group has been synchronized with AD, then select the OU or Group you want to use and press “+” to move to the table IncludeGroup. (In the lab, the group will be synchronized support inside OU IT).
  • Click OK to save



(IMG)

3.6 Configuring Identification Profile:

– Enter Device > Authentication Profile > click Add > tab Authentication Profile > 2 part configuration: Authentication and Advanced.
– Tabs Authentication:

  • Name : AD TESTLAB
  • Type : LDAP
  • Server Profile : select lab-active-directory


(IMG)

– Tabs Advanced:

  • Click Add ears Allow List and choose All
  • Click OK to save



(IMG)



3.7 Create Security Policy and check the results:
– Create more Security Policy to allow internet access based on synchronized users. If a policy has not been created, the Server and Client are logged in with an account Michael cannot access the internet.​
(IMG)

(IMG)

– We need to create Security Policyenter Policies > Security > click Add and set the information as follows:
– Tabs General:

  • Name: Allow_Internet_Micheal
  • Rule Type: universal (default)



(IMG)

– Tabs Source:

  • Source Zone: select LAN.



(IMG)


– Tabs User:​

  • Source User : choose 2 accounts testlab\administrator and testlab\michael.



(IMG)


– Tabs Destination:​

  • Destination Zone : select WAN



(IMG)



– Tabs Application select Any
(IMG)



– Tabs Service/URL Category :​

  • Service : Any
  • URL Category : Any



(IMG)



– Tabs Action :​

  • Action :Allow
  • Log Settings : Log at Session End
  • Click OK to save



(IMG)



– At this time, return to the Server and PC Client to check the results.​
(IMG)

(IMG)
– As shown above, both devices are connected to the internet.​

—Thank you for reading this article—​

Xem tiếp...
 
Top