Scribd
Upload
120 views

Cybersecurity Foundation Lab 5: Using Two-Factor Authentication To Secure The Firewall

hfhfjkhff

Uploaded by

Jefry Gutiérrez Celis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
120 views

Cybersecurity Foundation Lab 5: Using Two-Factor Authentication To Secure The Firewall

hfhfjkhff

Uploaded by

Jefry Gutiérrez Celis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

CYBERSECURITY FOUNDATION

Lab 5: Using Two-Factor Authentication to


Secure the Firewall
Document Version: 2021-01-22

Copyright © 2021 Network Development Group, Inc.


www.netdevgroup.com

NETLAB+ is a registered trademark of Network Development Group, Inc.

Palo Alto Networks and the Palo Alto Networks logo are trademarks or registered trademarks of Palo Alto Networks, Inc.
Lab: 5 Using Two-Factor Authentication to secure the Firewall

Contents
Introduction ........................................................................................................................ 3
Objective ............................................................................................................................. 3
Lab Topology ....................................................................................................................... 4
Lab Settings ......................................................................................................................... 5
5 Using Two-Factor Authentication to Secure the Firewall ........................................... 6
5.0 Load Lab Configuration ....................................................................................... 6
5.1 Create Local User Account ................................................................................ 11
5.2 Generate Certificates......................................................................................... 12
5.3 Create a Certificate Profile ................................................................................ 15
5.4 Export Certificate and Commit .......................................................................... 18
5.5 Test Connectivity and Import Certificate on the Client .................................... 21

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 2


Lab: 5 Using Two-Factor Authentication to secure the Firewall

Introduction

In this lab, you will configure the Firewall to use two-factor authentication using a
certificate, along with a username and password.

Objective

In this lab, you will perform the following tasks:

• Create a Local User Account


• Generate Certificates
• Create a Certificate Profile
• Export Certificate and Commit
• Test Connectivity and Import Certificate on the Client

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 3


Lab: 5 Using Two-Factor Authentication to secure the Firewall

Lab Topology

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 4


Lab: 5 Using Two-Factor Authentication to secure the Firewall

Lab Settings

The information in the table below will be needed in order to complete the lab. The
task sections below provide details on the use of this information.

Virtual Machine IP Address Account Password


(if needed) (if needed)

Client 192.168.1.20 lab-user Train1ng$

DMZ 192.168.50.10 root Pal0Alt0

Firewall 192.168.1.254 admin Train1ng$

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 5


Lab: 5 Using Two-Factor Authentication to secure the Firewall

5 Using Two-Factor Authentication to Secure the Firewall

5.0 Load Lab Configuration

In this section, you will load the Firewall configuration file.

1. Click on the Client tab to access the Client PC.

2. Log in to the Client PC as username lab-user, password Train1ng$.


3. Double-click the Chromium Web Browser icon located on the Desktop.

4. In the Chromium address field, type https://192.168.1.254 and press Enter.

5. You will see a “Your connection is not private” message. Click on the ADVANCED
link.

If you experience the “Unable to connect” or “502 Bad Gateway”


message while attempting to connect to the specified IP above, please
wait an additional 1-3 minutes for the Firewall to fully initialize.
Refresh the page to continue.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 6


Lab: 5 Using Two-Factor Authentication to secure the Firewall

6. Click on Proceed to 192.168.1.254 (unsafe).

7. Log in to the Firewall web interface as username admin, password Train1ng$.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 7


Lab: 5 Using Two-Factor Authentication to secure the Firewall

8. In the web interface, navigate to Device > Setup > Operations and click on Load
named configuration snapshot underneath the Configuration Management
section.

9. In the Load Named Configuration window, select pan-cf-lab-05.xml from the


Name dropdown box and click OK.

10. In the Loading Configuration window, a message will show Configuration is being
loaded. Please check the Task Manager for its status. You should reload the page
when the task is completed. Click Close to continue.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 8


Lab: 5 Using Two-Factor Authentication to secure the Firewall

11. Click the Tasks icon located at the bottom-right of the web interface.

12. In the Task Manager – All Tasks window, verify the Load type has successfully
completed. Click Close.

13. Click the Commit link located at the top-right of the web interface.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 9


Lab: 5 Using Two-Factor Authentication to secure the Firewall

14. In the Commit window, click Commit to proceed with committing the changes.

15. When the commit operation successfully completes, click Close to continue.

The commit process takes changes made to the Firewall and copies
them to the running configuration, which will activate all configuration
changes since the last commit.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 10


Lab: 5 Using Two-Factor Authentication to secure the Firewall

5.1 Create Local User Account

In this section, you will create a local user account, lab-user. This account will be used
for authentication against the Firewall.

1. Navigate to Device > Administrators > Add.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 11


Lab: 5 Using Two-Factor Authentication to secure the Firewall

2. In the Administrator window, type lab-user in the Name field. Then, type
Pal0Alt0 in the Password and Confirm Password fields. Finally, click the OK
button.

5.2 Generate Certificates

In this section, you will generate two certificates. The first is a self-signed Root
Certificate Authority (CA) certificate, which is the top-most certificate in the certificate
chain. The Firewall can use this certificate to automatically issue certificates for other
uses. In this lab, you will use the Root CA certificate to generate a certificate for use on
the Client machine that is associated with the local user account, lab-user.

1. Navigate to Device > Certificate Management > Certificates.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 12


Lab: 5 Using Two-Factor Authentication to secure the Firewall

2. Click on the Generate button at the bottom-center of the center section.

3. In the Generate Certificate window, type lab-local in the Certificate Name field.
Then, type 192.168.1.254 in the Common Name field. Next, click the Certificate
Authority checkbox. Finally, click the Generate button.

This will generate a certificate for the Firewall to act as a Certificate


Authority (CA). By the Firewall being a CA, you can now issue a
certificate for the local account you created earlier, lab-user.

4. In the Generate Certificate window, click OK to continue.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 13


Lab: 5 Using Two-Factor Authentication to secure the Firewall

5. Click on the Generate button at the bottom-center of the center section.

6. In the Generate Certificate window, type lab-user in the Certificate Name field.
Then, type lab-user in the Common Name field. Next, select lab-local in the
Signed By dropdown. Finally, click the Generate button.

In setting the Common Name as lab-user, this will later be used as an


authentication field, to map to the local user account, lab-user.
Notice, you are using the previous root CA certificate, lab-local, to sign
this certificate.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 14


Lab: 5 Using Two-Factor Authentication to secure the Firewall

7. In the Generate Certificate window, click OK to continue.

5.3 Create a Certificate Profile

In this section, you will create a certificate profile. A certificate profile defines user and
device authentication for multiple services on the Firewall. The profile specifies which
certificates to use, how to verify certificate revocation status, and how that status
constrains access. In this lab, the certificate profile is created to tell the Firewall to use
the common-name of the certificate as a username. Then, you will tell the Firewall to
use this Certificate Profile to authenticate users.

1. Navigate to Device > Certificate Management > Certificate Profile > Add.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 15


Lab: 5 Using Two-Factor Authentication to secure the Firewall

2. In the Certification Profile window, type Cert-Local-Profile in the Name field.


Then, select Subject in the Username field dropdown. Next, click on the Add
button.

Notice the Username Field, when set to Subject, it will use “common-
name” as the default. The Firewall will now use the “common-name”
as the username. The lab-user certificate you generated earlier has a
common-name of lab-user and will therefore use lab-user to
authenticate the client machine.

3. In the Certificate Profile window, select lab-local in the CA Certificate dropdown.


Then, click the OK button.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 16


Lab: 5 Using Two-Factor Authentication to secure the Firewall

This maps back to the lab-local CA certificate you created earlier, and
the Firewall will use this to verify the authenticity of the client
supplied certificate, lab-user.

4. In the Certificate Profile window, click the OK button.

5. Navigate to Device > Setup > Management.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 17


Lab: 5 Using Two-Factor Authentication to secure the Firewall

6. Click the gear icon on the Authentication Settings section, located in the center.

7. In the Authentication Settings window, select Cert-Local-Profile for the


Certification Profile dropdown. Then, click on the OK button.

5.4 Export Certificate and Commit

In this section, you will export the lab-user certificate you generated on the Firewall.
Then, you will commit changes, causing the Firewall to start using certificates for
authentication.

1. Navigate to Device > Certificate Management > Certificates.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 18


Lab: 5 Using Two-Factor Authentication to secure the Firewall

2. Select the lab-user certificate and click on the Export Certificate button.

3. In the Export Certificate - lab-user window, select Encrypted Private Key and
Certificate (PKCS12) in the File Format dropdown. Then, type paloalto for the
Passphrase and Confirm Passphrase fields, then click on the OK button.

By using an Encrypted Private Key and Certificate, this creates an


additional security measure, as the passphrase is required to install
the certificate on a client machine.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 19


Lab: 5 Using Two-Factor Authentication to secure the Firewall

4. In the Save File window pop-up, verify the name of cert_lab-user.p12 is correct
in the Name field, verify the .p12 file is being saved in the Downloads folder, and
click Save.

5. Click the Commit link located at the top-right of the web interface.

6. In the Commit window, click Commit to proceed with committing the changes.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 20


Lab: 5 Using Two-Factor Authentication to secure the Firewall

7. When the commit operation reaches 99%, click Close to continue.

Notice the warning about the Web server being restarted, this is
because of the authentication changes you made. You will need to
click the Close button when it gets to 99%, since the web server is
restarting, you will not see it get to 100%.

8. Click the X in the upper-right to close the Chromium Web Browser.

5.5 Test Connectivity and Import Certificate on the Client

In this section, you will test connectivity to the Firewall. Then, you will import the lab-
user certificate on the Client machine and try again.

1. Open Chromium from the taskbar.

2. In the Chromium address field, type https://192.168.1.254 and press Enter.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 21


Lab: 5 Using Two-Factor Authentication to secure the Firewall

3. You will see a “Your connection is not private” message. Click on the ADVANCED
Link.

This message is displayed because the Firewall has a self-signed


certificate by default. The client does not have a Certificate Authority
that can validate the certificate.

4. Click on Proceed to 192.168.1.254 (unsafe).

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 22


Lab: 5 Using Two-Factor Authentication to secure the Firewall

5. You will see a “400 Bad Request - No Required SSL certificate was sent” message.
Click the X in the upper-right to close Chromium.

Notice you get a HTTP 400 Bad Request error. This is because the lab-
user certificate is not installed on the Client machine. The Firewall
administrators are not allowed to login unless they have the
certificate installed and have an account and password. These two
factors make up the Two-Factor Authentication in this lab.

6. To install the lab-user certificate, open Chromium from the taskbar.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 23


Lab: 5 Using Two-Factor Authentication to secure the Firewall

7. Click on the ellipsis icon and open the Settings in Chromium.

8. Scroll down and click on the Advanced settings in Chromium and then click on
Manage Certificates.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 24


Lab: 5 Using Two-Factor Authentication to secure the Firewall

9. In the Manage Certificates window, click Import.

10. In the Open File window, select cert_lab-user.p12 and then click the Open
button.

11. In the Enter your certificate password window, enter paloalto and click OK.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 25


Lab: 5 Using Two-Factor Authentication to secure the Firewall

12. In the Manage Certificates window, expand the org-lab-user view and verify the
lab-user certificate has been imported.

13. Click the X in the upper-right to close Chromium.

14. Open Chromium from the taskbar.

15. In the Chromium address field, type https://192.168.1.254 and press Enter.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 26


Lab: 5 Using Two-Factor Authentication to secure the Firewall

16. In the Select a certificate window, verify the lab-user certificate is selected and
click OK.

17. You will see a “Your connection is not private” message. Click on the ADVANCED
link).

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 27


Lab: 5 Using Two-Factor Authentication to secure the Firewall

18. Click on Proceed to 192.168.1.254 (unsafe).

19. The Firewall login window will be displayed. Type Pal0Alt0 for the Password
field. Then, click the Log In button.

Notice that lab-user is pre-populated for the Username because the


Certificate Profile you created earlier used the subject, common-name
for the Username field.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 28


Lab: 5 Using Two-Factor Authentication to secure the Firewall

20. On the Welcome window, click the Close button.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 29


Lab: 5 Using Two-Factor Authentication to secure the Firewall

21. You are now at the Palo Alto Networks Web GUI, logged on as lab-user. Notice
the username in the lower-left.

22. The lab is now complete; you may end the reservation.

1/22/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 30

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy