Integrate Palo Alto Virtual Appliance

This technical integration guide describes how to integrate a Palo Alto VM-300 and Identity as a Service. Although this document specifically covers the Palo Alto KVM appliance, the information provided applies to all Palo Alto PA-VM Series appliances using the Device Manager software. The aim of this integration is to provide strong, second-factor authentication for your Palo Alto PA-VM Series appliance solution using Identity as a Service.

Before you begin, review the following:

Supported authentication methods

Prerequisites

Integrate Palo Alto

Complete the following to integrate Palo Alto Virtual Appliance with IDaaS.

Step 1: Configure the Palo Alto interface management

Configure the Palo Alto Web interface management

Step 2: Configure LDAP as an AAA clients, create authentication profiles for the LDAP AAA client and RADIUS AAA clients.

Step 2.1: Configure LDAP as an AAA Client

Step 2.2: Configure the Group Mapping Profile

Step 2.3: Create an authentication profile for LDAP AAA clients

Step 2.4: Create an authentication profile for RADIUS AAA clients

Step 3: Configure VPN interfaces, tunnel, and zones

Note: The GlobalProtect portal and gateway are both configured on Ethernet1/2. The GlobalProtect portal and gateway is the physical interface where the GlobalProtect clients connect. After the clients connect and successfully authenticate to the portal and gateway, the agent establishes a VPN tunnel from its virtual adapter, which has been assigned an address in the IP address pool associated with the gateway tunnel.

Step 3.1: Create zones for VPN

Step 3.2: Configure an Ethernet interface for VPN

Step 3.3: Configure a tunnel interface for the Gateway

Step 4: Create a server certificate

Log in to Palo Alto and create a server certificate for the interface hosting the GlobalProtect portal and Gateway using one of the following methods:

Step 4.1: Import a certificate from Entrust

Step 4.2: Generate a certificate from Entrust

Step 5: Create a security policy for VPN

Create a security policy for VPN

Step 6: Create a security policy for VPN

Create an SSL/TLS profile

Step 7: Configure a GlobalProtect gateway and portal

Note: GlobalProtect provides a complete infrastructure for managing your mobile workforce to enable secure access for all your users, regardless of what devices they are using or where they are located. GlobalProtect Gateways provide security enforcement for traffic from GlobalProtect agents and apps and the GlobalProtect portal provides the management functions for your GlobalProtect infrastructure.

Step 7.1: Configure a GlobalProtect Gateway

Step 7.2: Configure GlobalProtect Portal

Step 8: Configure the static route

Configure the static route

Step 9: Configure the GlobalProtect client

Configure the GlobalProtect client

Step 10: Add Palo Alto to IDaaS

Step 10.1: Add Palo Alto to Identity as a Service

Step 10.2: Protect Palo Alto with a resource rule

Step 11: Test the integration

Step 11.1: Test GlobalProtect VPN for one-step authentication

Step 11.2: Test GlobalProtect for two-step authentication

Step 11.3: Test Global Protect using Entrust push authentication