3.1.10.2.23. paloAlto

The paloAlto plugin allows sending information related to a username and IP along with a PA Dynamic Address Group Tag. An internal OpenNAC Tag can be assigned to the device.

To start, you notify the firewall of the username associated with a specific IP address, and this relationship is active until a logout is received or the User Session Timeout (min.) indicated in plugin properties is exceeded( after that time, without a new notify, the relationship expires). Apart from that, you associate the IP address with a Palo Alto dynamic tag, so in the Palo Alto firewall, you can define a Dynamic Address Group and use it in Palo Alto policies.

The following fields must be configured to set up the plugin:

../../../../_images/paloalto.png


  • User Name: Administrator user name to connect to Palo Alto Firewall.

  • Password: Administrator password to connect to Palo Alto Firewall.

  • IP Palo Alto / Panorama: IP address for Palo Alto Firewall.

  • User with Domain: It indicates if the user name sent to Palo Alto has to include the domain name in case it is included in the user request.

  • User Name is required: It indicates if the user name is required to send information to Palo Alto. If it’s required, when a MAB authentication is produced, there could not be a notification to Palo Alto.

  • User Session Timeout (min.): User session timeout (TTL), indicated in minutes.

  • PaloAlto Tag: Tag used to notify Palo Alto Dynamic Address Group. If it is empty, the policy name is used.

  • openNAC Tag: openNAC user device tag, to mark user device when is notified to Palo Alto. If it is empty, no tag is used.

  • Panorama Device Group Flag: It indicates that we have to send the information to a specific Panorama device group.

  • Panorama Device Group: Indicates to which Panorama device group we send the information, only if Panorama Device Group Flag is active.

Note

To connect to Palo Alto, only a user with “XML API – User-ID Agent” rights is required, so “Web UI” and “Command Line” rights can be disabled.

PaloAlto NGFW technologies include an API that requires credentials for access.

If Palo Alto is integrated with Active Directory or LDAP servers, it is necessary to specify when using other types of users. This facilitates the exchange of user session information between PaloAlto and openNAC, which can be used to define session timeouts to enforce authentication and also to utilize User Device tags when notifying Palo Alto.