User's Manual
Dell Networking W-Series ArubaOS 6.4.x| User Guide Palo Alto Networks Firewall Integration | 620
Chapter 28
Palo Alto Networks Firewall Integration
User-Identification (User-ID) feature of the Palo Alto Networks (PAN) firewall allows network administrators to
configure and enforce firewall policies based on user and user groups. User-ID identifies the user on the
network based on the IP address of the device which the user is logged into. Additionally, firewall policy can be
applied based on the type of device the user is using to connect to the network. Since the Dell controller
maintains the network and user information of the clients on the network, it is the best source to provide the
information for the User-ID feature on the PAN firewall.
PAN firewall integration with ArubaOS requires PAN-OS 5.0 or later
This feature introduces the following interactions with PAN firewall servers:
l Send logon events to PAN firewall for the client with its IP address user name, device type, when classified.
l Send logout events to PANfirewalls for the client with its IPaddress.
The following must be configured on the PAN Firewall:
l An Admin account must be created on the PAN firewall to allow the controller to send data to the PAN
firewall. This account must match the account added in the PAN profile on the controller. The built-in Admin
account can be used for this purpose but that is not recommended. It is better to create a new Admin
account used solely for the purpose of communications between the controller and PANfirewall.
l Preconfiguration of PAN Host Information Profile (HIP) objects and HIP-profiles on the PAN Firewall to
support a device-type based policy.
To enable these features, the following must be configured on the controller:
l System wide PAN profile must be properly configured and made active on the controller.
l The pan-integration knob at the AAA profile which the client is associated with must be enabled.
l For VPN clients, the pan-integration knob in the VPN authentication profile which the client is associated
with must be enabled.
l For VIA clients, the pan-integration knob in the VIA authentication profile which the client is associated
with must be enabled.
Limitations
Keep the following limitations when in mind when configuring PANFirewall Integration:
l PANFirewall Integration does not support bridge forwarding mode.
l The W-600 Series controller does not support PANFirewall integration.
Preconfiguration on the PANFirewall
Before PANFirewall configuration is completed on the controller, some configuration must be completed on
the PANFirewall.