[隨筆] Aruba Controller & Palo Alto User-ID 整合筆記

Pre-configurations on the Palo Alto Networks Firewall

1. Create New Device Admin Account (For Aruba)

An Device Admin account must be created on the Palo Alto Networks firewall to allow the controller to send data to it.
The built-in Admin account can be used for this purpose but that is not recommended.
It is better to create a new Admin account used solely for the purpose of communications between the controller and Palo Alto

Aruba Controller Configuration on AOS 6.4

1. Creating the Server Profile for Palo Alto Network on the Controller

To configure a new Palo Alto Networks profile

  1. Navigate to Configuration > Advanced Services > All Profiles > Other Profiles > Palo Alto Networks Servers
  2. Type the name of the profile and click Add
  3. Click on the name of the profile created to open the Profile Details window
  4. Enter the Host (IP address or hostname) of the Palo Alto Networks firewall
  5. Enter the Port (1 – 65535) of the Palo Alto Networks Firewall
    Note: The port used by default is 443
  6. Enter the Username of the Palo Alto Networks firewall.
    The user name is between 1 and 255 bytes in length and must match the Admin Account previously created on the Palo Alto Networks firewall.
    Note: Refer to section 3.3
  7. Enter the Password of the username in Palo Alto Networks Firewall. The password is between 6 and 100 bytes in length and must match the password of the Admin account previously created on the Palo Alto Networks firewall.
  8. Re-enter the Password entered in the previous step
  9. Click Add
  10. Click Apply

2. Activating the Palo Alto Networks profile

To apply a Palo Alto Networks Server profile on the local controller, complete the following steps:

  1. Navigate to Configuration > Advanced Services > All Profiles > Other Profiles > Palo Alto Networks Active.
  2. Select Active Palo Alto Networks. To the right of this link, the name of the active profile is displayed.
  3. Other configured profile can be selected from the Active Palo Alto Networks Profile > drop-down menu.
    To configure a new profile, select NEW from the drop down menu and complete the configuration details.
  4. Once a profile is selected from the drop-down menu or a new profile is created, click Apply.

3. Enabling the Palo Alto Networks Firewall Integration

To enable a Palo Alto Netwokrs firewall integration in the AAA profile:

  1. Navigate to Configuration > Security > Authentication > AAA Profiles page
  2. In the AAA Profiles Summary, select the desired profile
  3. Check the PAN firewalls Integration check box
  4. Click Apply

Troubleshooting

Q1. Timeout / Ping 不通

1
2
3
4
5
(Aruba7210) #ping <pa_ip_addr>

Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to <pa_ip_addr>, timeout is 2 seconds:
.....
1
2
3
4
5
6
7
(Aruba7210) #show pan state 

Palo Alto Networks Servers Connection State[PA5220]
---------------------------------------------------
Firewall State
-------- -----
<pa_ip_addr>:443 DOWN[10/08/18 14:29:42]
1
2
3
(Aruba7210) # show log system all | include |pan|

Oct 8 14:39:27 :309109: <WARN> |extifmgr| |pan| Session to PAN server [https://<pa_ip_addr>:443/api/] Failed - code:1004[Timeout was reached(28)]

檢查 PA 是否放行 Controller IP 訪問管理介面

Device > Setup > Interfaces > Management > Add Permitted IP Addresses

Q2. 憑證問題

1
2
3
(Aruba7210) # show log system all | include |pan|

Oct 8 15:19:20 :309109: <WARN> |extifmgr| |pan| Session to PAN server [https://<pa_ip_addr>:443/api/] Failed - code:1003[Peer certificate cannot be authenticated with given CA certificates(60)]

從 PA 上匯出憑證至 Aruba Controller

Palo Alto:
Device > Certificate Management > Certificate > Export Certificate

1
2
Export Certificate
File Format: Base64 Encoded Certificate (PEM)

Aruba Controller:
Configuration > Management > Certificates > Upload

1
2
3
Upload a Certificate
Certificate Format: PEM
Certificate Type: Trusted CA

信任 CA 後依然顯示憑證有問題,嘗試以下做法

Palo Alto 重新產生自簽證書
Generate a Self-signed Root CA Certificate

  1. Select Device > Certificate Management > Certificates > Device Certificates.
  2. If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.
  3. Click Generate.
  4. Enter a Certificate Name, such as GlobalProtect_CA. The name is case-sensitive and can have up to 31 characters. It must be unique and use only letters, numbers, hyphens, and underscores.
  5. In the Common Name field, enter the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate.
  6. If the firewall has more than one vsys and you want the certificate to be available to every vsys, select the Shared check box.
  7. Leave the Signed By field blank to designate the certificate as self-signed.
  8. (Required) Select the Certificate Authority check box.
  9. Leave the OCSP Responder field blank; revocation status verification doesn’t apply to root CA certificates.
  10. Click Generate and Commit.

Palo Alto 證書替換管理流量證書(HTTPS)
Replace the Certificate for Inbound Management Traffic

  1. Configure an SSL/TLS Service Profile.
    1
    2
    3
    Select Device > Certificate Management > SSL/TLS Service Profile > 
    Add > Select the Certificate you just obtained
    Protocol Min Version: TLSv1.1
  1. Apply the SSL/TLS Service Profile to inbound management traffic.
    1
    2
    3
    Select Device > Setup > Management and edit the General Settings.
    Select the SSL/TLS Service Profile you just configured.
    Click OK and Commit.

重新匯出剛剛新產生的憑證至 Aruba Controller 並測試

1
2
3
4
5
6
7
(Aruba7210) #show pan state 

Palo Alto Networks Servers Connection State[PA5220]
---------------------------------------------------
Firewall State
-------- -----
<pa_ip_addr>:443 UP[10/08/18 16:42:21]Established

參考資料