Friday, 21 April 2023

user id / winrm / ldaps setup on palo alto firewall

Notes on how to enable WINRM + HTTPS on server side:

1. Import certificates from Palo to DC.

Export the certs from the palo alto or any CA server and import into DC.


CA root cert goes to Computer Certificates >> Trusted Root Certification Authorities.

Server cert goes to Computer Certificates >> Personal (This one needs to be imported to the server with Private Key – You can get it exporting the cert as pkcs12 on Palo Alto).


2. Check if WINRM is Enabled

Run the following command to verify that WINRM is configured:


winrm quickconfig


3. Verify WINRM Listener Configuration

Check the current listener configuration:


winrm enumerate winrm/config/listener


If only HTTP is listed and no HTTPS, you need to add an HTTPS listener.


4. Create WINRM HTTPS Listener

Use the command below to create the HTTPS listener. Replace the values with your actual hostname and certificate thumbprint:


winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="server.local";CertificateThumbprint="0ec2b6e88d58f99...."}


5. Enable Basic Authentication

Enable basic authentication on the DC:


winrm set winrm/config/client/auth @{Basic="true"}


You can verify the setting with:


winrm get winrm/config/service/Auth


Service Account Permissions

Ensure that CIMV2 namespace permissions are properly configured for the service account used by USER-ID.


Follow the Palo Alto Networks documentation, particularly Step 4 in the guide below:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent?otp=id188DF0L03YR#id188DF0L03YR

 

Older notes:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMgiCAE


Generate a self signed CA on the palo

fw-ldap.domain.int

now generate a cert for the DC

DCHOST.domain.int (signed by the self signed CA we just made)

export the DC cert as pkcs12 and give password

import on the dc into local computer store

winrm quickconfig

winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="DCHOST.domain.int";CertificateThumbprint="1x1x1x1x1x1x1x1x1x1x1x1x1x1x1"}'


winrm get winrm/config/client/Auth

Look for Basic = true


Palo FW setup

Device >User Identification >User Mapping >Palo Alto Network User-ID Agent Setup >Server Monitor Account.


It seems there are 2 parts

1 - AD user group download from AD (uses LDAP/LDAPS) so we can use in ACLs etc

2 - Server monitoring for security log to monitor logins and make user -> ip mappsing


WMI seems to be totally broken

Move to winRM + HTTP + kerberos (kerberos is still encrypited)

CIMV2 part is needed and maybe DNS proxy to resolve local addresses.

on CLI

Less mp-log useridd.log

How to Configure DNS Proxy on a Palo Alto Networks Firewall - Knowledge Base - Palo Alto Networks

Needed to add extra AD groups

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VUICA2

  • Distributed COM Users
  • Event Log Readers
  • Remote Management Users
  • Server Operators
  • WinRMRemoteWMIUsers__ 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)