Palo Alto Web-GUI UI Admin - Azure AD
Hello community, thank you as always for your time and collaboration.
I have a question, some client is asking me and asking if Azure-AD can be used for authentication of administration access to the firewall...
Now with Global Protect we have configured it, without a theme there are no problems, now Global Protect the portal is exposed to the Internet... that means that I will have to expose my MGT to the Internet... I think this is not a good idea there.
The client wants to use their Azure-AD users and therefore their MFA that they have in Azure, but I feel that it is not the best idea if the Web-Gui must be exposed to the Internet.
Is there any alternative for this, to use offline or locally or somehow without having to expose the Web-Gui?
Thanks, I'll stay tuned.
Kind regards
This works perfectly, and you don't need to expose your management interface to the internet for this (your client does need internet access as they need to interface with the IdP
There's an enterprise application in Azure specifically for management access, go ahead and activate that and download the meta file
Create a saml profile on the firewall and import the meta file, create an associated authentication titration profile, set the auth profile as authentication method on the device > setup
If your mgmt interface does not have internet access (to reach out to the IdP), set up a service route (but since GP works this last part won't be an issue)
In the enterprise app you can create roles, those roles need to match either superuser or an admin profile
Done :)