Ruckus and Palo Alto User-ID on Guest Network (two different network addresses)

  • 2
  • Question
  • Updated 3 years ago
Hi

We have a Ruckus zonedirector 1100 and a Palo Alto firewall.

We have 3 wi-fi networks set up. In simple terms, one internal, two on a different network.

The zone director has a 10.35.x.x address, the other networks have a 172.16.x.x address. One of the network's requires the user's to log in via there active directory credentials, and i am trying to set up the palo alto to monitor this network so i can see who has done what.

I’m assuming that I connect the palo alto to the ruckus syslog somehow, but I can’t work out how to monitor the 172.16 network.

The internal network is monitoring fine (but then again it should, as it's on the same network and part of the active directory network), but the guest network i can't seem to monitor.

Can anyone point me in the right direction please.

If you need any further information regarding my set up, please let me know

Thanks

Tony
Photo of Tony Cable

Tony Cable

  • 8 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 2
Photo of Michael Brado

Michael Brado, Official Rep

  • 1968 Posts
  • 275 Reply Likes
I'm not familiar with Palo Alto FWs, but I know they can inspect packets to look for
viruses, etc. I don't know your router configuration or where the ZD connects into
the network. If you use three different VLANs to segment your three WLANs, and
can monitor your Internal 10.35.x.x, then does the PANW box have an interface on
your 10.35.x.x network too? If so, does it have another port that can connect to the
172.16.x.x VLAN/subnet? It may take an interface on the VLAN/subnet to do it's
inspection/FW duties. I suspect you would have a PANW interface on 172.16.x.x
and would specify their IP as your AD server, if you are logging in guest users via
their AD. If they only want Syslog, you can point to any IP host as an external
Syslog recipient.
Photo of Lukas

Lukas

  • 24 Posts
  • 4 Reply Likes
As the link was cut:
https://github.com/cesanetwan/ uid-radius-script-ps/
(please remove the blank space after the dash)
Photo of Tony Cable

Tony Cable

  • 8 Posts
  • 0 Reply Likes
Hi

Thanks for your replies.

The Palo Alto can see the ruckus, and when I go to monitor tab on the firewall, it can see all the IP addresses on the 172.16 network, I just need to try and link it to the actual users that are logged in.

The Ruckus goes to my core switch, which is then connected to the Palo Alto.

we have set up on interface 4 on the palo alto (which is the internal link) a 4.99 for the vlan so the traffic goes through (see image as I don't think this makes a lot of sense)

Other than the guest network, nothing else is on the network. The AD server that the ruckus uses is on the 10.35 network, and I can see that the ruckus identifies the user accounts ok etc, I'm just trying to find a way for the firewall to see it, so the same filtering rules can apply.

Thanks
Photo of Tony Cable

Tony Cable

  • 8 Posts
  • 0 Reply Likes
and I should add I have opened a call with Palo Alto as well on this matter, to see if they can assist me.
Photo of Kyle Andrews-Gato

Kyle Andrews-Gato

  • 1 Post
  • 0 Reply Likes
We are also interested in this. We may have to switch away from Ruckus if we can't get our Palo Alto to work well with it and identify our users.
Photo of Odilo Junior

Odilo Junior

  • 15 Posts
  • 2 Reply Likes
First of all, are you using the 9.8+ version, right?

Why don't you install the PA User-ID agent in your Active Directory server?

We are fully integrated here with ZoneDirector 3000 version 9.8.2 and PA 5020 using PANOS 6.0.4.

Our most used WLAN is working with 802.1x auth (Radius), so we forward the ZD SYSLOG to a Windows Machine that is running the PA User ID Agent to collect the login information. It was really simple to configure with some simple Regex.

Other WLANs that uses WPA2/PSK but the users must use their AD login to authenticate on our Domain machines, we get the user authentication through the PA UserID agent running on our AD server. The same for our wired network.

You need to configure all of your agents on the PA FW as well.

If you wanna simply forward the syslog from ZD to PA, you need to enable "User-ID Syslog Listener-SSL,User-ID,User-ID Syslog Listener-UDP" on the management interface of your PAN FW. And then forward your syslog to the Management interface (IP) on PA.
Cheers.
Photo of Tony Cable

Tony Cable

  • 8 Posts
  • 0 Reply Likes
Hi

Thanks for this, i've been looking at this, and going to upgrade the firmware on the box to 9.8.2.0.15 either tonight or over the weekend, and i'll attempt to do this to see how it works.

I'll be trying the Syslog fowarding from the ZD to the PA in the first instance, and see where we go from there... I'll give you an update next week!
Photo of Odilo Junior

Odilo Junior

  • 15 Posts
  • 2 Reply Likes
Hey Tony, take a look at this topic https://forums.ruckuswireless.com/ruc...

We also discussed the integration between Ruckus and PA. Maybe it can help you.

Cheers.
Photo of Tony Cable

Tony Cable

  • 8 Posts
  • 0 Reply Likes
Hi Odilo

I'm trying this, from your other link, but i'm slightly confused with one of the steps.

your adding a Server Monitoring for the Zone Director, type syslog server. What IP address do i put in there? The IP for the zone director, or the IP for the management interface (or something else).

Whatever i put in, i don't seem to be getting a source user mapping.

Also, for the Username Regex section, our usernames are letters and numbers, so i changed it to sta_name(?:=.*\\|=)([a-z0-9]+); Is that correct?

Thanks
Photo of Tony Cable

Tony Cable

  • 8 Posts
  • 0 Reply Likes
Don't worry, managed to sort it out. Done it in a slightly different way to what you have outlined above, but it is finally starting to sort itself out and filter correctly on the guest network.

Thanks all for help and suggestions.
Photo of Odilo Junior

Odilo Junior

  • 15 Posts
  • 2 Reply Likes
Hi, good that is working now.
Answering your question, on Server Monitoring you should add the ZD IP, that is sending the logs to the PA, kind of allowing that IP to send syslog events.

About the regex, I have used this site to test the Regex patterns regex101.com.

Can you explain to us how you managed to work ?

Thanks, cheers.
Photo of Tony Cable

Tony Cable

  • 8 Posts
  • 0 Reply Likes
it was more or less the same as above, but i couldn't get it to work as a Regex Identifier. It was getting the logs, but wasn't identifying the success ones, so i changed it to field identifier, and it now all appears to be working fine.

The next stage is to tidy it up so it's not sending so many logs to the Palo Alto, but it is identifying devices correctly and applying the right filters.
Photo of Odilo Junior

Odilo Junior

  • 15 Posts
  • 2 Reply Likes
Got it.. awesome!
I tried to use Field Identifier, but don't remember why it didn't worked.
I'll do some tests later to check it out.

What is the PAN OS version you are using?

We have set on ZD at Log settings to Critical Events Only and at Diagnostics -> Debug Level only Client Association is checked.

Cheers!
Photo of Tony Cable

Tony Cable

  • 8 Posts
  • 0 Reply Likes
I'm on 6.0.7 at the moment.

I've got the log settings the same, but it is sending a whole lot of logs to the PA.

It does appear to be working, but it doesn't appear to be mapping everyone, and some mappings are dropping off half way through the day (I've personally seen it with my mobile device), so I'm not sure if something isn't quite set up right, or so many logs are being sent it looses the mapping at some point during the day (but it is better than nothing at the moment!)