Configure Explicit Proxy Mobile Users using Cloud Identity Engine (Recommended) (Panorama)
Focus
Focus
Prisma Access

Configure Explicit Proxy Mobile Users using Cloud Identity Engine (Recommended) (Panorama)

Table of Contents


Configure Explicit Proxy Mobile Users using Cloud Identity Engine (Recommended) (Panorama)

Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to authenticate Prisma Access mobile users in a Mobile Users—Explicit Proxy deployment.
To configure the Cloud Authentication Service to authenticate Explicit Proxy mobile users, you must have the following minimum required product and software versions:
  • A minimum Prisma Access version of 3.2 (either Preferred or Innovation).
  • A minimum Panorama version of 10.1.3.
  • A minimum dataplane version of 10.1.3.
    To verify your dataplane version, select PanoramaCloud ServicesConfigurationService Setup and view the Current Dataplane version in the DataPlane PAN-OS version area. If your dataplane version is lower than 10.1.3, reach out to your Palo Alto Networks account representative and submit a request.
  • A SAML IdP provider that is supported with the Cloud Identity Engine.
    All IdP providers that are supported by the Cloud Identity Engine are supported, including Azure, Okta, PingOne, PingFederate, and Google.
To configure authentication for a Mobile Users—Explicit Proxy deployment using the Cloud Identity Engine, complete the following steps.
  1. From the Panorama that manages Prisma Access, set up and configure a Mobile Users—Explicit Proxy deployment.
    Before you configure Explicit Proxy guidelines, be aware of how explicit proxy works and how explicit proxy identifies users, go through the planning checklist, and learn how to set up the Explicit Proxy PAC file.
  2. From the Panorama that manages Prisma Access, install the Panorama device certificate.
    You must generate a one-time password (OTP) and retrieve the device certificate to successfully authenticate Panorama with the Cloud Identity Engine.
    1. Log into the Customer Support Portal to generate the One Time Password (OTP).
    2. Select AssetsDevice Certificates and Generate OTP.
    3. For the Device Type, select Generate OTP for Panorama and Generate OTP.
    4. Select the Panorama Device serial number.
    5. Generate OTP and Copy to Clipboard.
    6. From the Panorama that manages Prisma Access, select PanoramaSetupManagementDevice Certificate Settings and Get certificate.
      When you have successfully installed the certificate, the Current Device Certificate Status (PanoramaSetupManagementDevice Certificate) displays as Valid.
  3. From the hub, activate the Cloud Identity Engine if you have not yet done so to create your first instance.
    1. Activate the Cloud Identity Engine.
      If the Activate button is not available, ensure that your role has the necessary privileges.
    2. Enter the information for your Cloud Identity Engine instance.
      • Select the Company Account for the instance.
      • Specify an Name to identify the instance.
      • (Optional) Enter a Description to provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
      • Select a Region.
        Make a note of the region; you specify the same region when you create an authentication profile in Panorama.
      • Agree to the EULA.
    3. Agree & Activate the instance.
    4. On the Activation Details page, select the hub in the upper left.
    5. The Cloud Identity Engine displays.
  4. (Optional) If you require a separate instance for Explicit Proxy, configure a Cloud Identity Engine Instance.
    If you want to isolate your Explicit Proxy directory data, or allow different Palo Alto Networks cloud applications and services to access different sets of directory data, you can create a Cloud Identity Engine instance specifically for Explicit Proxy.
    1. Log in to the hub.
    2. Click the gear in the upper right corner of the page to manage the settings; then, select Manage Apps and click Add Instance.
    3. Configure the instance.
      • Select the Company Account for the instance.
      • Specify an Name to identify the instance.
      • (Optional) Enter a Description to provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
      • Select a Region.
        Make a note of the region; you specify the same region when you create an authentication profile in Panorama.
      • Agree to the EULA.
    4. Agree & Activate the instance.
  5. Set up an authentication profile in the Cloud Identity Engine and select the users and groups that can use this authentication method.
    You specify this profile when you create an authentication profile in Panorama in a later step.
  6. Return to the Panorama that manages Prisma Access and configure an authentication profile to use with the Cloud Authentication Engine.
    1. Select DeviceAuthentication Profile and Add an authentication profile.
      Be sure that you are in the Explicit_Proxy_Template.
    2. Enter a Name for the Authentication profile.
    3. Select Cloud Authentication Service as the Type.
    4. Select the Region of your Cloud Identity Engine instance.
      Specify the same region you used when you created your Cloud Authentication Engine instance.
    5. Select the Cloud Identity Engine Instance to use for this Authentication profile.
    6. Select an authentication Profile that specifies the authentication type you want to use to authenticate users.
      Specify the authentication profile you created in the Cloud Identity Engine.
    7. Specify the Maximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
    8. (Optional) If the profile you selected has multi-factor authentication (MFA) enabled, select Force multi-factor authentication in cloud.
      Selecting this option means that the IdP (for example, Okta) specified by the profile is responsible for performing MFA. If you select this check box and incorrect MFA information is received from the Cloud Identity Engine, authentication fails.
    9. Click OK.
  7. Allow the necessary authentication traffic to be passed to Explicit Proxy.
    1. Create a URL list as a custom URL category to allow the necessary traffic for the Cloud Identity Engine.
    2. Add the following Cloud Identity Engine URLs to the URL category.
      If you do not need to strictly limit traffic to your region, you can enter *.apps.paloaltonetworks.com. Otherwise, determine your region-based URL using the show cloud-auth-service-regions command in the Cloud Identity Engine to display the URLs for the region associated with your Cloud Identity Engine instance and enter each region-based URL. The following table includes the URLs for each region:
      RegionCloud Identity Engine Region-Based URL
      United Statescloud-auth.us.apps.paloaltonetworks.com
      cloud-auth-service.us.apps.paloaltonetworks.com
      Europecloud-auth.nl.apps.paloaltonetworks.com
      cloud-auth-service.nl.apps.paloaltonetworks.com
      United Kingdomcloud-auth.uk.apps.paloaltonetworks.com
      cloud-auth-service.uk.apps.paloaltonetworks.com
      Singaporecloud-auth.sg.apps.paloaltonetworks.com
      cloud-auth-service.sg.apps.paloaltonetworks.com
      Canadacloud-auth.ca.apps.paloaltonetworks.com
      cloud-auth-service.ca.apps.paloaltonetworks.com
      Japancloud-auth.jp.apps.paloaltonetworks.com
      cloud-auth-service.jp.apps.paloaltonetworks.com
      Australiacloud-auth.au.apps.paloaltonetworks.com
      cloud-auth-service.au.apps.paloaltonetworks.com
      Germanycloud-auth.de.apps.paloaltonetworks.com
      cloud-auth-service.de.apps.paloaltonetworks.com
      United States - Governmentcloud-auth-service.gov.apps.paloaltonetworks.com
      cloud-auth.gov.apps.paloaltonetworks.com
      Indiacloud-auth-service.in.apps.paloaltonetworks.com
      cloud-auth.in.apps.paloaltonetworks.com
    3. Enter the URLs that your IdP requires for user authentication (for example, *.okta.com) in the custom URL category.
    4. Create a security policy rule to allow traffic to the authentication type and Cloud Identity Engine and select the custom URL category as the match criteria.
  8. Specify the authentication profile for Explicit Proxy.
    1. Select PanoramaCloud ServicesConfigurationMobile Users—Explicit Proxy.
    2. Select the Connection Name.
    3. Specify the Cloud Identity Engine Authentication Profile.
  9. Commit and Push your changes.
  10. Verify that the Cloud Identity Engine is successfully authenticating your Explicit Proxy mobile users.
    1. From the Panorama that manages Prisma Access, select MonitorLogsAuthentication.
    2. View the Event status.
      If the authentication fails, view the Description for more details about the failure.
    3. From the mobile user’s endpoint, use dev tools to view the Cloud Identity Engine authentication flow.