Pulse Policy Secure
Palo Alto Networks Firewall Integration with Pulse Policy Secure – Comprehensive Context-Based Enforcement Deployment Guide
Product Release 5.3
Published October 2016
Document
Version
2.0
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 2
Pulse Secure, LLC 2700 Zanker Road, Suite 200
San Jose, CA 95134 www.pulsesecure.net
Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered trademarks, or
registered service marks are the property of their respective owners.
Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or otherwise
revise this publication without notice.
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
The information in this document is current as of the date on the title page.
END USER LICENSE AGREEMENT
The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such software is
subject to the terms and conditions of the End User License Agreement (“EULA”) posted at www.pulsesecure.net. By downloading, installing or using such software,
you agree to the terms and conditions of that EULA.”
Palo Alto Networks, the Palo Alto Networks Logo, Palo Alto Networks Firewall, PAN-OS, User-ID, App-ID and Panorama are trademarks of Palo Alto Networks, Inc.
For additional information on Palo Alto Networks products, visit www.paloaltonetworks.com
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 3
Table of Contents Introduction .................................................................................................................................... 5
Customer Challenges ...................................................................................................................... 5
Comprehensive Context-based Enforcement ................................................................................ 5
Pulse Policy Secure Configuration .................................................................................................. 7
Configuring Palo Alto Networks Firewall Enforcers ........................................................................................... 7
Configuring Auth Table Mapping Policies............................................................................................................ 9
Palo Alto Networks Firewall Configuration .................................................................................. 11
Configuring User Identification on Security Zones ........................................................................................... 11
Configuring Dynamic Address Groups ............................................................................................................... 13
Configuring Security Policies ............................................................................................................................... 14
Troubleshooting ........................................................................................................................... 16
Unsupported Features .................................................................................................................. 16
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 4
Table of Figures Figure 1: User Flow System Graphics ............................................................................................................................. 6
Figure 2: Infranet Enforcer ............................................................................................................................................. 7
Figure 3: Palo Alto Networks Firewall ............................................................................................................................ 8
Figure 4: API Key ............................................................................................................................................................ 8
Figure 5: Auth Table Mapping Policy ............................................................................................................................. 9
Figure 6: Palo Alto Networks Firewall Configuration ................................................................................................... 10
Figure 7: Enabling User Identification on a Zone ......................................................................................................... 12
Figure 8: Address Groups ............................................................................................................................................. 13
Figure 9: Security Policy Rule - Source Address Configuration .................................................................................... 14
Figure 10: Security Policy Rule - User Configuration ................................................................................................... 15
Figure 11: Completed Security Policy Rule .................................................................................................................. 15
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 5
Introduction Pulse Policy Secure, an industry recognized network access control (NAC) solution, offers easy-to-use, BYOD-
ready, context-aware secure access to protect network, core assets, applications, data, and more. Pulse Policy
Secure authenticates users, ensures that endpoints meet security policies, and then dynamically updates the
enforcement point (such as a firewall or switch) with the resulting user session information - including user
identity, IP address, and role.
Pulse Policy Secure version 5.3 integrates with the industry-leading next-generation firewall vendor Palo Alto
Networks to provide enhanced identity-enabled enforcement for BYOD and guests as well as enterprise
employees, with rich back-end authentication and comprehensive compliance checks. This document focuses on
how to deploy the integration of Pulse Policy Secure with Palo Alto Networks next-generation firewall.
Customer Challenges BYOD proliferation is challenging IT’s ability to deliver enterprise-grade security, manageability, and
interoperability. IT departments need complete visibility of all devices, whether managed or unmanaged, that are
accessing enterprise data and protected resources. Increasing use of mobile devices and BYOD policies require
uniform compliance enforcement for PCs and mobile devices regardless of ownership.
In a Palo Alto Networks firewall-enabled network, enterprises need to control access for BYOD and guest users.
Correlation of user identity information and application of granular role-based security policies are essential for
BYOD. To minimize security risk, Enterprise IT also requires device compliance checks for BYOD devices.
Comprehensive Context-based Enforcement Palo Alto Networks' next-generation firewall has a feature called User Identification (User-ID) that creates policies
and performs reporting based on users and groups rather than individual IP addresses.
To enforce the user and group based policies, the firewall must be able to map the IP addresses in the received
packets to user information. The Palo Alto Networks User-ID feature provides mechanisms to map these IP address
to usernames. The User-ID XML API is a RESTful API that uses standard HTTP requests to send and receive data.
Pulse Policy Secure uses the User-ID XML API to send the IP to User and IP to Group (Role) mapping information to
the Palo Alto Networks firewall.
The Palo Alto Networks firewall compares the user information against the tag that is associated to a particular
security rule. If the User Role name matches the tag, then traffic is either allowed or denied based on the
configuration.
When a user logs in, Pulse Policy Secure provisions their user ID, IP address of the endpoint, and role information
to the Palo Alto Networks firewall; that enables firewall policies based on any of these attributes to be enforced.
Similarly, when a user logs out, the user ID, IP address of the endpoint, and role information is removed from the
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 6
firewall. More importantly, when a user's role changes, the role change information is dynamically updated on the
firewall, so that access based on the updated roles is automatically changed based on the policy matched by the
new information.
Note: No persistent connection is maintained between Pulse Policy Secure and the Palo Alto Networks firewall, and no keep alives are sent. HTTP connections are initiated based on request from the client and the connection is terminated after serving the request.
Figure 1: User Flow System Graphics
With Palo Alto Networks firewall integration, all users' role changes, which includes compliance check failure or
unauthorized behavior are dynamically updated on the firewall. The access is based on user roles and not merely
on source IP addresses.
Pulse Policy Secure is the policy decision point that determines which users and endpoints can access protected
resources. Palo Alto Networks firewalls serve as the policy enforcement points to provide the ultimate protection
to ensure that network assets are secured.
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 7
Palo Alto Networks integration with Pulse Policy Secure leverages dynamic role information provisioned to the
firewall upon user session establishment and for the duration of the session. Pulse Policy Secure also
communicates user information to the Palo Alto Networks firewall when users log in or log out from their device.
Palo Alto Networks firewall integration with Pulse Policy Secure enables customers to achieve a stronger security
posture with unified access policies that extend from NAC/BYOD systems to their perimeter defenses. The
integration allows Palo Alto Networks’ customers to leverage Pulse Policy Secure’s extensive compliance options
and rich back-end AAA integration to implement stronger security.
Pulse Policy Secure Configuration The Pulse Policy Secure configuration requires defining a new Palo Alto Networks Firewall Infranet Enforcer
instance on Pulse Policy Secure and then fetching the API key from the firewall. The API key is used to
communicate between the Palo Alto Networks firewall and Pulse Policy Secure. The standard user authentication /
authorization configurations such as Auth Table Mapping Policies should also be created and associated with the
required roles.
Configuring Pulse Policy Secure with Palo Alto Networks Firewall
Enforcer To configure a Palo Alto Networks Firewall Infranet Enforcer in Pulse Policy Secure:
1. Select Endpoint Policy > Infranet Enforcer.
Figure 2: Infranet Enforcer
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 8
2. Click New Infranet Enforcer and select Palo Alto Networks Firewall in the Platform drop down.
Figure 3: Palo Alto Networks Firewall
3. Enter the Name and IP Address of the Palo Alto Networks firewall and then click Get API Key which opens a
new page.
Figure 4: API Key
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 9
4. Enter the Admin Username and Admin Password of the Palo Alto Networks firewall and then Click Retrieve.
This enables Pulse Policy Secure to fetch the API key of the firewall. Once the API key is retrieved, the page
automatically redirects back to the New Infranet Enforcer page as shown in Figure 3 and updates the API Key
Field.
5. Click Save Changes.
Configuring Auth Table Mapping Policies Pulse Policy Secure's default configuration includes one default auth table mapping policy. When the default auth
table mapping policy is enabled, Pulse Policy Secure pushes one auth table entry for each authenticated user to all
Palo Alto Networks firewalls configured as Infranet Enforcers. An auth table entry consists of the user’s name, a set
of roles, and the IP address of the wired, wireless, or virtual adapter. If your deployment includes a low and high
capacity Palo Alto Networks Firewall Enforcers, the lower capacity firewalls might reach the limit of concurrent
auth table entries and prevent additional users from accessing protected resources.
To configure an Auth Table Mapping Policy:
1. Select Endpoint Policy > Infranet Enforcer > Auth Table Mapping.
Figure 5: Auth Table Mapping Policy
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 10
2. Click New Policy.
Figure 6: Palo Alto Networks Firewall Configuration
3. On the New Policy page:
3.1. For Name, enter a name to label the auth table mapping policy.
3.2. (Optional) For Description, enter a description.
3.3. In the Enforcer section, specify the Infranet Enforcer firewall(s) to which you want to apply the auth table
mapping policy.
3.4. In the Roles section, specify:
Policy applies to ALL roles—Select this option to apply the auth table mapping policy to all users.
Policy applies to SELECTED roles—Select this option to apply the auth table mapping policy only
to users who are mapped to roles in the SELECTED roles list. You must add roles to this list from
the available roles list.
Policy applies to all roles OTHER THAN those selected below—Select this option to apply the auth
table mapping policy to all users except for those who map to the roles in the SELECTED roles list.
You must add roles to this list from the available roles list.
3.5. In the Action section, specify auth table mapping rules for the specified Infranet Enforcer.
Always Provision Auth Table—Select this option to automatically provision auth table entries for
chosen roles on the specified Infranet Enforcer.
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 11
Provision Auth Table as Needed—Select this option to provision auth table entries only when a
user with a chosen role attempts to access a resource behind the specified Infranet Enforcer. This
option is not supported on Palo Alto Networks Firewall Enforcers.
Never Provision Auth Table—Select this option to prevent chosen roles from accessing resources
behind the specified Infranet Enforcer.
4. You must delete the Default Policy if you configure any of your own auth table mapping policies. Policy Secure's default configuration includes this default auth table mapping policy that allows all source IP endpoints to use all Infranet Enforcers.
5. Click Save Changes.
Note:
Dynamic Auth Table Allocation - Auth table entries are always provisioned on the
Palo Alto Networks firewall.
Auth Table Timeout - The user information is always provisioned on the Palo Alto
Networks Firewall Enforcer.
Configuring Palo Alto Networks Firewall To use User-ID enforcement, you create security policies on the Palo Alto Networks firewall that allow traffic from
the endpoint to protected resources.
Note: Provisioning of Resource Access Policies from Pulse Policy Secure to the Palo Alto Networks Firewall Enforcer is not supported. You must configure the required security policies on the firewall.
Palo Alto Networks firewall detects traffic from an endpoint that matches a configured security policy using the
endpoint’s auth table entry. It determines the role(s) associated with that user, and allows or denies the traffic
based on the actions configured in the security policy.
The configuration on the Palo Alto Networks firewall includes creation of security zones, association of interfaces
to security zones, configuration of dynamic address groups, and association of dynamic address groups to security
policies.
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 12
Configuring User Identification on Security Zones To enable User-ID enforcement, you must enable User Identification on both inbound and outbound zones
traversed by the end-user traffic.
To enable User Identification:
1. Select Palo Alto Networks > Network > Zones.
2. For each zone that serves as an inbound or outbound zone for enforced traffic, click the zone name (For
example, trust, untrust, and so on).
3. Select Enable User Identification and then click OK.
Figure 7: Enabling User Identification on a Zone
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 13
Configuring Dynamic Address Groups To configure a dynamic address group:
1. Select Palo Alto Networks > Objects > Address Groups.
Figure 8: Address Groups
2. Click Add and enter a Name and a Description for the address group.
3. Select Type as Dynamic. Define the match criteria. You can select dynamic and static tags as the match criteria
to populate the members of the group.
4. Enter the role name of the users. The role name in the Match section should match the roles that are
configured in Pulse Policy Secure.
5. Click OK.
Note: Dynamic Discovery of users and their roles is not supported on Palo Alto Networks firewall.
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 14
Configuring Security Policies To configure security policies associated with dynamic address groups:
1. Select Palo Alto Networks > Policies > Security.
2. Click Add to create a new security policy rule. In the Source Address tab, select the previously-configured
address group.
Figure 9: Security Policy Rule - Source Address Configuration
3. In the User tab, enable known-user.
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 15
Figure 10: Security Policy Rule - User Configuration
Note: When the known-user is enabled, the resource access is revoked immediately once the user disconnects from Pulse Policy Secure.
4. Configure the other options to meet your security requirements. Traffic from the endpoint is allowed or
blocked based on the action chosen under the Action tab.
5. Click Commit to complete the configuration.
Figure 11: Completed Security Policy Rule
Palo Alto Networks Firewall Integration with Pulse Policy Secure - Solution Guide
© 2016 by Pulse Secure, LLC. All rights reserved 16
Troubleshooting You can use the Event Log and the User Access log on Pulse Policy Secure for troubleshooting issues with end user
access.
You can use the following CLI commands on the Palo Alto Networks firewall for troubleshooting:
• show user ip-user-mapping all— Displays the table of user identities mapped to IP addresses.
• show object registered-address all — Displays the table of addresses with user information associated.
Please see the product documentation for detailed information on these features.
Unsupported Features Pulse Policy Secure offers a wide range of features when integrating with Infranet Enforcers from multiple firewall
vendors. Infranet Enforcer features that are not supported with the Palo Alto Networks Firewall Enforcer in Pulse
Policy Secure 5.3 includes:
Captive Portal
IPsec Enforcement
IDP Sensors
Virtual Systems
Dynamic Auth Table Allocation
Enforcement for endpoints behind Network Address Translation (NAT)
Federated access across multiple policy servers / firewall enforcers
Federated single sign-on for Pulse Connect Secure tunneled traffic