The previous certificate contains a common name that refers to the IP address of the portal and external gateway. Note - As you already created a GlobalProtect certificate in the previous post, you will be creating a new one that both the external and internal gateways can reference.Navigate to Device -> Certificate Management -> Certificates -> Generate.Note - Best practices dictate that a dedicated service account be used for integrating your domain controller with Palo Alto Networks.Navigate to Device -> Server Profiles and create the following:.For details on DUO integration, see this post. Note - This post assumes that you have already followed the previous post in this series.This post also assumes that you already have a domain controller (I am running Windows Server 2012 R2) in your environment installed with DUO authentication proxy installed and running. This will provide the best possible user experience for users when they are internal, while also enforcing additional factors of authentication when users are remote. In this case, we are going to configure the deployment to leverage LDAP authentication for the portal, MFA via RADIUS (AD credentials and Duo) for the external gateway, and LDAP authentication for the internal gateway. This data can then be used as security policy match conditions, allowing for much more granular, identity-based visibility and enforcement.Įxternal authentication types are recommended for a production environment. The value of adding an internal gateway means that when users are on the local network, user-to-IP address mappings will be supplied to the firewall along with device context. You can see a diagram of the environment here. In this post, we are going to configure multiple external authentication types as well as add an internal gateway. In my previous post, we covered the initial setup of GlobalProtect, which included a portal, external gateway, and user authentication via local database. ATTENTION: Please visit the Palo Alto Networks Live site for the latest version of this post.
0 kommentar(er)
