Table of Contents
Advertisement
In the Instant UI
To configure OpenDNS credentials:
1. Click More > Services > OpenDNS.
2. Enter the Username and Password to enable access to OpenDNS.
3. Click OK to apply the changes.
In the CLI
To configure OpenDNS credentials:
(Instant AP)(config)# opendns <username> <password>
(Instant AP)(config)# end
(Instant AP)# commit apply
Integrating an IAP with Palo Alto Networks Firewall
Palo Alto Networks (PAN) next-generation firewall offers contextual security for all users for safe enabling of
applications. A simple firewall beyond basic IP address or TCP port numbers only provides a subset of the
enhanced security required for enterprises to secure their networks. In the context of businesses using social
networking sites, legacy firewalls are not able to differentiate valid authorized users from casual social
networking users.
The Palo Alto next-generation firewall is based on user ID, which provides many methods for connecting the
users to sources of identity information and associating them with firewall policy rules. For example, it provides
an option to gather user information from Active Directory or Lightweight Directory Access Protocol (LDAP)
server.
Integration with Instant
The functionality provided by the PAN firewall based on user ID requires the collection of information from the
network. IAP maintains the network (such as mapping IP address) and user information for its clients in the
network and can provide the required information for the user ID on PAN firewall. Before sending the user-ID
mapping information to the PAN firewall, the IAP must retrieve an API key that will be used for authentication
for all APIs.
IAP provides the User ID mapping information to the PAN firewall for integration. The client user id for
authentication will not be sent to the PAN firewall unless it has a domain prefix. The IAP checks for the domain
information in the client username for all login and logout requests sent to the PAN firewall. If the user id
already has a domain prefix, IAP forwards the request to the PAN firewall. Otherwise, the static client domain
configured in the PAN firewall profile will be prefixed to the user id and then sent to the PAN firewall.
IAP and PAN firewall integration can be seamless with the XML-API that is available with PAN-OS 5.0 or later.
To integrate an IAP with PAN user ID, a global profile is added. This profile can be configured on an IAP with
PAN firewall information such as IP address, port, username, password, firewall-enabled or firewall-disabled
status.
The IAP sends messages to PAN based on the type of authentication and client status:
After a client completes the authentication and is assigned an IP address, IAP sends the login message.
l
After a client is disconnected or dissociated from the IAP, the IAP sends a logout message.
l
Configuring an IAP for PAN integration
You can configure an IAP for PAN firewall integration by using the Instant UI or the CLI.
295
| Services
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
Hide quick links:
Advertisement
Table of Contents
