Palo Alto Networks PCNSE – Global Protect Part 3
May 9, 2023

6. Installing CA services on windows, certificate enrollment policy service, OCSP

Okay, so now we’re going to set up the certificate services on the domain controller in AWS to provide certificate for the workstation and the lab. So this way we can test things like certificate authentication on Global Protect. So we’re going to go ahead and click on Add Rules and Features and then Service Selection. Click that and then we’re going to click on Active Directory Services, certificate Services, then click Next. And then we’re going to select certificate of Authority certificate of Authority enforcement Policy web Service Certificate enrollment web Service Certificate authority Web enrollment and then network Device enrollment and online responder.

Pretty much everything here. And then click Next, and then Next, and then basically install. So now that it finished installing, we’re going to go ahead and reboot just to make sure everything is set up correctly and restart. So now the server rebooted. The next step we have to do is set up the certificate services. You go to ADCs and then click on More and we’re going to click on Configure, active Directory Certificate Services and the Credential to use to install the following service must belong to Local Administrator group send the loan Certificate of Authority, certificate Authority Web Enrollment, Online Responder. You must belong to the Enterprise Admin. So those are the requirements. So let’s see the user administrator verify here enterprise Admin.

So seem like the administrator is a member of all those. So depending on your environment, you might want to set up a different account. But you have to be Enterprise Admin and local administrator. So that’s fine. Click on next. And then we’re going to first set up the certificate of authority and certificate enrollment policy, web service and online responder. Let’s see if we can set those all up at the same time. We’re going to specify Enterprise CA, boot CA, create a new private key. We’re going to choose shot 256. Click Next. Common name lab. Ad DCCCA. One. Choose just DC CA next override this five years, the validity period and then where is it going to go? We’re going to use Windows Integrated Authentication and we’re going to click on Configure and we’ll let it right so here we configured the right now it’s installing.

So now that this is installed, we’re going to go Certificate of Authority and we see here that it’s installed and ready to go. And then we’re going to click on Certificate Template and then click on Manage. We’re going to upload the Computer Certificate here, duplicate template and we’re going to give it a name. Let’s call it computer certificate. And then issuance requirements. Let’s find the subject name build from Active Directory. We’re going to choose DNS name or service? Principal name. Subject name is going to be Common Name and we don’t have to include email address and subject name. And then security. We’re going to basically select Domain Computers and then we’re going to check Enroll and Auto Enroll. This way we can enroll the computer automatically from the policies from the Group Policy and then click Apply and then click okay, close the certificate template and then now click on New Certificate Template toIn  this lecture we will talk about Hip Checks.

 Hip Checks is the host information that you can use in policy enforcement. You’re going to collect information about the hosts that are connecting and based on this information you can make policy decisions. One of the requirements for you to be able to do this is that your system has to have a license. You should have the Global Protect Gateway license and the Global Protect Gateway license allows you to check the host information and make policy enforcement decision.For the Global Protect Hip checks you have two different things. You have the Hip objects, this allows you to craft certain things to check for and the Hip profile.

 So under Hip objects you can create different Hip objects to check for certain things. When we click on add Hip object you have several criteria to check against operating system contains. Like for example you want to shift this to Microsoft Windows. And this is under host info. Patch management allows you to make decision based on patch management and firewall allows you to make a decision based on installed firewall and client antivirus allows you to make decision based on AV installed or not installed on the system and other criteria like anti spyware disk backup, disk encryption, data loss prevention and also you can add custom checks.

So Hip object is the building block for us to set up a Hip profile that we can match against. So under general here we can create a simple Hip profile here and let’s call this Hip profile EV installed. So we’re going to check for antivirus and then antivirus is installed. Real crime protection is on yes. And virus definition, you can specify virus definition to be within like seven days. And if you want to specify the vendor, you can specify the vendor, if not you can leave it. And we can use this as a Hip object. And then we’re going to create a Hip profile. The Hip profile will check against certain criteria and compliance. So in our case here we’re going to add a match criteria and this match criteria we’re going to use the object we created and we’re going to specify that AV is installed, click OK.

And then now we will go into our policy and we will go ahead and create a policy. So in our case when the user connects, they’re going to be coming in from the Tunnel 20 interface which belongs to Trust zone and we’re going to restrict them from accessing the internet completely by just creating a rule that restrict those who do not match that profile. So in here we’re going to say Gpcompliant users and we’re going to specify the discount from the trust and the metro range of the Global Protect pool destination on trust and any on the untrust. And then under user we’re going to check for select Hit profile and basically this would require compliance.

They have to match that required compliance and when they match it they’re going to be allowed access because we’re going to create a rule here that will allow them access. So we put this up top. If the rules are processed, top down and basically if they hit the required compliance and they hit this rule they don’t match, we have to deny them. Otherwise they’re going to be allowed by the following rule. So we can add another rule here says GP compliant noncompliant users and in that case same source which the IP range of the global tech and destination untrust. And we are going to deny them because they don’t have compliance, they don’t have an AV and we are going to log at session start because this is a deny. So top down.

The users that connect that are compliant are going to be allowed Internet access.Users that do not match that Hip profile will be basically denied access and we’re going to deny them complete access to any application, any service board, not just the default. Now in that case when user connects they’re going to try to access the internet. They will be not allowed. However, you don’t want to leave the user in the dark so you want to give them a message letting them know that you will not have access. So you do this by going to the Globe Protect Gateway configuration. Going to go to the Globe Protect configuration, Globe Protect Gateway and click on Agent, click on Hip notification and this will allow you to create a Hip notification.

So because they don’t match our required compliance Hip profile, we want to send them a message, let them know hey, you’re going to have restricted access. So required compliance here and then enable and we’re going to specify a message say your system did not meet compliance and will not have network access. This is just an example and click OK and then click okay, let’s commit this configuration. And now on the client we’re going to go ahead and connect and see if we are able to access the internet and see if we can get the message. And I’m going to look at the logs here. It’s connected right now, I didn’t get the message yet, but here is the message pop up and it will tell the user your system did not meet compliance and will not have Internet access.

If I tried to access the internet, we’ll get it denied. I’m going to use Internet Explorer and here it’s trying to connect and we should see here under Monitor get denied, drop deny and policy deny. This is GP non compliant users. So it’s at least at both. We see the user logging in and we see the connection succeeded but the user traffic is getting dropped because they don’t match the compliance requirement which is having an AV installed on the system. And they also get a message because you configured the gateway. If they do not match the required compliance Hip profile that they will get notified that the system doesn’t meet compliance and they will not have internet access. Now because I don’t want to install the AV on this machine, I’m going to simplify that object check that we’re doing to allow this host to connect and see the difference.

So if we go here under or AV installed the Hip object that we configure, I’m going to specify host information. OS contains Microsoft all any Microsoft go ahead and remove the AV check. And so now basically it just checks for the operating system to be Microsoft and Hit profile is still matching AV install which now just check for operating system just for us to see what happens when the machine is compliant and then we’re going to go ahead and commit that and we’re going to go ahead and click Connect. And if your host profile matches you should see your information in the Hip match logs and basically that means you are a match. And if we look at when you look at the Hip match it will basically show you all the collected information about the client.

We only check in to see if Microsoft Windows is installed it’s operating system as Microsoft Windows so we should be able to access the Internet now. And now we’re able to access the Internet. If I go to monitor traffic, you see here the username and you see it’s matching the GP compliant users now, not the GP non compliant users which it was matching earlier when we check in for the AV. The Hip check is a powerful tool for you to do some network admission control and restrict users based on their host information. And it’s utilized heavily for network admission control out in the field. issue.

We’re going to select the computer certificate template we created and then click okay. All right, the next thing we have to do is open up Group Policy and then we’re going to go to Default Domain Policy and click on Edit and then under Computer Configuration we click on Policies, windows Settings, 3D Settings and then Public Key Policy and then Certificate Service Enrollment. It should be not configured. Basically that’s the default. You click enable and check renew expired certificate, update planning certificate and removal work certificates and then check on update certificate that you certificate template and then click apply and then certificate services client Enrollment policy.

That’s the enrollment policy automatically. Basically it should be not configured. You click enabled and then check Active Directory Enrollment Policy and then click Apply. So this is the group policy that will allow the computer to automatically get a certificate. Now the next thing we have to do is configure Online Responder because otherwise you click Online Responder Management and then we’re going to basically create Revocation Configuration. Well before that we have to create a certificate for that. So go back to Certificate Services certificate Template manage basically to create an OCSP certificate, OCSP Responder Signing and click on Duplicate Template.

The general you can give a name OCSP Cert and then Issuance Security. You’re going to pretty much leave everything the same here and click on Apply and click on okay. And then click on certificate template. Manage new certificate template to issue. And we’re going to select OCSP Cert. Okay, and then under the Revocation configuration and Online Responder Management, click Add the Revocation specify, basically give it a name and then click Next and then select the certificate for an existing enterprise. CA. Click next. Browse CA certified Certificate Publishing Active Directory going to open it up and choose our certificate.

Click Next and then Certificate Template is going to be OCSP Cert automatically select a signing certificate and auto enroll for an OCSP certificate and then click Next and then click Finish. Okay. And then we’re going to basically look at the Revocation config and let’s see if the certificate was issued. Certificate it doesn’t look like it was issued. Signing certificate not found. So we probably have to change the template. I am going to loosen it up a little bit more and authenticated user enroll, auto enroll apply delete yes. Do it again. Add replication Configuration next Test okay, there you go. So certificate was issued so it needed to be authenticated users.

So this is key for you to be able to accept the certificate. The Paul Altifier will not accept the certificate unless OCSP is configured and working. So we’re going to go to the computer now in the lab and unit lab and then open up MMC to see if the computer received the certificate. And then click on file. Add, remove, Snap in certificates, click Add, choose Computer account next and then finish. And then click okay. And then expand certificate. Expand personal expense certificates. And we see here that a certificate was issued for the computer. Unfortunately, we got an OCSP certificate as well. So certificate and then security. We’re going to uncheck this for authenticity. Just read and then administrator. We need to have because I’m logged in as administrator, that’s what happened. So that’s why it’s recommended to have a different account just for the OCSP account.

So I’m going to go ahead and delete that OCSP certificate from my lab machine on the domain controller. I’m going to basically go to security and then specify administrator only and then authenticate users. Just read and basically so it’s better to have an account that you assign for CSP. So we have pretty much the steps ready to go for testing. We’re going to try the computer authentication using the pre log on and show you how this is getting done in our next lecture.

7. Global Protect Authentication using Dual Factor Token and Computer Certificate

So now that we set up the certificate on the computer, we need to configure the Palo Alto Firewall to authenticate against that certificate. We’re going to go through the steps on the Palo Alto Firewall. Well, I don’t have certificate enrollment web services running yet. So basically we have to import the certificate as a trusted certificate in our setup. So first thing we have to do is go to the certificates here, let’s go to certificate authority and then we need to find the root CA certificate view certificate and then details copy to file and we’re going to copy this in base 64 encoded. We’re going to call this, we’ll just copied here root CA and then click next and then finish.

And then we have to go to certificates and then import and then call this lab route and then find a certificate file and basically import it. And then once you import it here you open it up and specify that this is trusted through CA and then click okay. And then we need to create a certificate profile to use for authentication. And then we’re going to specify here that this is the lab CA server and then we’re going to add the certificate for the lab root CA and then click okay. We need to default username as a subject common name, that’s what we specified in this. And then we will go ahead and click okay. And then we need to go to OCSP responder and then add an OCSP responder. We’re going to add the server by name. What’s the server name? I see, so it’s lab local. ADDC lab local.

So that’s why I pulled the common name to authenticated. So now that the certificate is set up we’re going to go to the Paolo here and then we’re going to go to authentication. And so it’s going to be two level of authentication. The first level of authentication is the portal which relies on the user putting the username and the two factor authentication. And then the second level will be the gateway. So in this level we’re going to specify to add the trusted ta and install a local certificate store. And I’m not sure if that’s not required because the machine is already part of the domain. So we’re just going to do the check lab routine to be entrusted and then click on on demand. And then we’re going to specify to use the computer authentication machine authentication. And we are not going to check SSO which is the single sign on.

I will look at single sign on later on where’s single sign on use single sign on. No. So that’s fine. And then click OK. And then the second level authentication will be, the gateway will be certificate. So first level authentication, you first need to authenticate to the portal and then you’re going to be authenticating to the agent, the gateway after that so that authentication will rely on a certificate. So this basically ties in the computer. If it has a certificate, then it’s most likely part of the domain and it’s allowed to access the network because it’s a part of the domain. So we’re going to go ahead and click Commit and test it out. We’re going to go to the machine behind the lab and I switch it off to be using the Internet because it has two interfaces, one behind the Palo Alto firewall and one behind the Internet.

And basically we’ll go ahead and open up Global Protect and then we will use our first factor authentication, which is using the dual factor, the dual factor token. I’m going to put that in here and click Connect. And then now if I click on Details, should be seeing some connectivity going on. Click on troubleshooting logs, start logs. You see here that it’s getting an IP address. So it looks like it’s getting connected right now, just connecting. So I first authenticating using my dual factor and then the second one was okay here’s connected. I authenticated using the certificate on the computer itself. And to prove that out, let’s take a look at the certificate, the authentication. Let me just make sure I can ping the domain controller that’s working.

First. If I look at the gateway, I see remote users. I see here that the user is actually the Winwin lab local. So it pulled the computer certificate and pulled the information from that computer certificate. And the computer name is Win one. So it’s using the computer name for authentication. And if I look at the actual monitoring system, I should see here that the certificate authentication device level VPN. So that’s device level VPN. So username is MDES user. This is the first level authentication on demand config name on demand certificate validated for user. When one laptop local, I was able to do the computer authentication. So that’s one example. You can have a computer certificate and dual factor with a token as the logo.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!