Palo Alto Networks - XML API

overview this document covers the api integration between the nile access service and palo alto networks (pan) next generation firewalls (ngfw) to provide secure campus networks through dynamic and granular segmentation the nile service block (nsb) inside the nile access service communicates with pan‑os® through xml api calls to provide the ngfw with mappings of client ip addresses to their dot1x user identity and group the dynamic exchanges enable organizations to apply granular segmentation policies based on the organization security strategies components required nile access service pan ngfw with pan‑os® version 9 1 and higher https (tcp port 443) connection to pan firewall for api communication radius server note the tests conducted in this guide used pan os® 10 2 3 h4 and clearpass although clearpass is shown in this guide, any radius server will work feature flow a dot1x user authenticates to a nile enterprise ssid the associated radius server returns a ‘filter id’ vsa holding the user group with the ‘access accept’ the nsb maps the username, acquired client dhcp ip address and the user group and sends via xml api to the pan ngfw the pan firewall identifies the group as a configured tag with an associated dynamic group with a security policy that implements the desired access control on the user traffic required steps setting up radius to return ‘filter id’ vsa setting up pan ngfw to identify information sent from nsb setting up the nile access service to communicate with pan ngfw validate the integration setting up radius to return 'filter id' vsa the screenshots below provide examples of the enforcement policy and associated profiles necessary to display the ‘filter id’ attribute returned by clearpass it is based on the active directory ‘memberof’ attribute enforcement profile enforcement policy the screenshots below provide examples of the enforcement policy and associated profiles necessary to display the ‘filter id’ attribute returned by clearpass it is based on the active directory ‘memberof’ attribute enforcement policy this guide shows clearpass being used as a server, but any radius server can be used the aruba clearpass radius docid\ o9bkmxm4ukubek5xfb zc document should be reviewed for the complete clearpass policy manager setup setting up radius to return 'filter id' vsa to create an administrator account, there are 2 steps that must be followed create an admin role profile the screenshot below shows an example of profile named ‘nile xml role’ add an administrator account and attach the admin role profile created in step a the screenshot below shows an example of the account created named ‘ nile admin’ attaching to the admin role profile named ‘nile xml role’ new admin role navigate to device > admin roles , and click on the add button enter the name “nile xml role” under the web ui tab, disable all options under the xml api tab, disble all options except user id agent click on ok to complete the role addition navigate to device > administrator s, and click on the add button name enter the name “nile admin” password enter a password and confirm it administrator type role based profile select the “nile xml role” profile click on ok to complete new account creation tags are identifiers that can be used to create dynamic address groups pan‑os® utilizes those groups to form tag based security policies tags and address groups for the api integration to work, tags and dynamic address groups are required the staff and student group seen below illustrate how to create tags the tags will be mapped with the user group information sent by the nsb subsequently, those two tags are used to configure two pan os® dynamic address groups staff role and student role navigate to objects > tags , and click on the add button add two tags named staff and student create two dynamic address groups navigate to objects > address groups , and click on the add button add two address groups staff role and student role of type dynamic matching respectively the staff and student security policies this guide assumes that the nile nsb is connected to the palo alto networks firewall through two ports that are both assigned to a newly created security zone called nsb to illustrate an example usage of security policies based on the dynamic address groups created in the previous section, two security policies are created to allow all traffic matching the ‘staff’ tag, and deny access to the ‘wargaming net’ and ‘traceroute’ for traffic matching the ‘student’ tag loopback address since the nsb connects to the pan firewall through two equal cost multi path (ecmp) interfaces, it is recommended to configure a loopback ip address that the nsb can use to connect to the firewall, no matter which interface the xml api traffic flows through for illustration purposes, the following loopback setting is shown below set up the nile access service to communicate with pan ngfw the following screenshots shows an example on how to accomplish that on the nile portal dhcp set the dhcp server and subnets for the user groups authentication set radius server parameters segments – map the dhcp server and authentication method to the user segment wireless – set up the ssid and attach user segment(s) now validate the integration the validation steps below show what to look for when validating asuccessful dot1x authentication, returning the correct user group/tag through the ‘filter id’ attribute from clearpass policy manager radius server validate that the radius server has assigned the appropriate role with the correct “filterid’ the example below demonstrates clearpass assigned the correct role to ‘ staff1 ’ through the returned attribute ‘filter id’ with the value ‘ staff1 ’ a second validation for the user ‘ staff1 ’ is shown below validate that the radius server has assigned the appropriate role with the correct “filterid’ the example below demonstrates clearpass assigned the correct role to ‘ student1 ’ through the returned attribute ‘filter id’ with the value ‘ student ’ a second validation for the user ‘ student1 ’ is shown below palo alto radius user mapping automatic correlation of ip to user id inside the pan management dashboard, validate that there is correct mapping between ip and user id the image below demonstrates the correct mapping between the users ‘student1’ and ‘staff1’ to their respective ip addresses 172 16 14 14 and 172 16 14 15 inside the pan management dashboard, validate that there is correct mapping between ip addresses and tags the image below demonstrates the correct mapping betweenip addresses to their respective tags traffic flow inside the pan management dashboard, validate that traffic logs are available with the right flow the image below demonstrates that security policies created did enforce as intended the traffic log shows that ‘wargaming net’ and ‘traceroute’ were denied for the user ‘student1’ with ip address 172 16 14 14, when it was allowed for user ‘staff1’ with ip address 172 16 14 15 note it is recommended to create a dedicated administrator account inside the management console with the purpose of handling xml api communication initiated by clearpass note nile recommends contacting a nile operator to assist for backend setup before contacting a nile operator, make sure to create an enterprise (dot1x) ssid nile recommends contacting a nile operator to assist for backend setup before contacting a nile operator, make sure to create an enterprise (dot1x) ssid