AOS-W 6.5.3.x | User Guide Palo Alto Networks Firewall Integration | 689
Chapter 30
Palo Alto Networks Firewall Integration
User-Identification (User-ID) feature of the Palo Alto Networks (PAN) firewall allows network administrators to
configure and enforce firewall policies based on user and user groups. The User-ID identifies the user on the
network based on the IP address of the device which the user is logged into. Additionally, a firewall policy can
be applied based on the type of device the user is using to connect to the network. Since the Alcatel-Lucent
switch maintains the network and user information of the clients on the network, it is the best source to
provide the information for the User-ID feature on the PAN firewall.
The procedures in this chapter describe the steps to integrate a Palo Alto Networks firewall with a master or local
switch. For details on configuring PAN firewall integration with a branch office switch, see Branch
Integration with a Palo Alto Networks (PAN) Portal on page 226
This feature introduces the following interactions with PAN firewall servers running PAN-OS 5.0 or later::
n Send logon events to the PAN firewall for the client with its IP address user name, device type, when
classified.
n Send logout events to PANfirewalls for the client with its IPaddress.
The following must be configured on the PAN Firewall:
n An Admin account must be created on the PAN firewall to allow the switch to send data to the PAN firewall.
This account must match the account added in the PAN profile on the switch. The built-in Admin account
can be used for this purpose, but that is not recommended. It is better to create a new Admin account used
solely for the purpose of communications between the switch and PANfirewall.
n Preconfiguration of PAN Host Information Profile (HIP) objects and HIP-profiles on the PAN Firewall to
support a device-type based policy.
To enable these features, the following must be configured on the switch:
n The system-wide PAN profile must be properly configured and made active on the switch.
n The pan-integration parameter in the AAA profile which the client is associated with must be enabled.
n For VPN clients, enable the pan-integration parameter in the VPN authentication profile which the client is
associated.
n For VIA clients, enable the pan-integration parameter in the VIA authentication profile to which the client
is associated.
Limitation
Keep the following limitation in mind when configuring PANFirewall Integration. PANFirewall Integration does
not support bridge forwarding mode.
Preconfiguration on the PANFirewall
Before PANFirewall configuration is completed on the switch, some configuration must be completed on the
PANFirewall.
To Next Page
Loading...