This section describes how to integrate Palo Alto NGFW with RSA Cloud Authentication Service using REST API.

Procedure 

1. Log in to the RSA Cloud Console > My Account > Company Settings > Authentication API Keys > Add.
   
2. Fetch the corresponding CA certificates from your Tenant URL accordingly, which will be used later on the Palo Alto configuration side.
   
3. Go to the Palo Alto GUI > Device > Multi-Factor Authentication Profile, and put the input fetched previously, the access ID shall be the name of the API Key fetched from the RSA Cloud Console, the client key shall be the value of the key from the RSA Cloud Console.
   
4. You can either bind this MFA Profile to an existing profile like RADIUS or SAML or Local Username or LDAP, it is according to your need.
5. Next after placing the needed policy rule to allow communication from any user to that protected resource, you must create an Authentication Policy Rule.
   
   
6. To create the Authentication Rule properly, you first need to perform two actions:
   a. Configure Authentication Portal: By going to Device > User Identification > Authentication Portal. 
   
   - You must choose to redirect to work, you can choose your SSL/TLS Service profile as per your need, then choose the authentication profile that this is bounded to. Next, the Redirect Host must be an IP address that exists on the Palo Alto NGFW, in the above screenshot, it binds to the FQDN of the Palo Alto that is corresponding to one of the interfaces on the Palo Alto.
   b. Go to Objects > Authentication, then create an Authentication Enforcement as per below: 
   
   - Then on the interface that the user will be redirected to as per the step above, this interface in the interface profile must have Response Pages in its allowed access, to verify this, go to the correct interface by going to Network > Interfaces, then click on that interface then go to Advanced and take note of the Management Profile it is assigned to.
   - Go to Network > Interface Management Profile, then choose that profile that was noted from the interface, now make sure Response Pages are checked.
   

7. Navigate to Policies > Authentication, and create your policy accordingly then in the Actions, choose the enforcement profile we created above.
   
8. Assign that MFA profile to the needed profile and make sure that profile is being used in the Authentication Portal and the Authentication Enforcement. In the Below example we shall use the SAML Profile called RSA_CLOUD_SSO which was primarily used for SAML authentication only, now we shall make it use the REST API requests to RSA Cloud by enabling Additional Authentication Factors as per below:
   
   

    

   
9. You can use Other Profiles with MFA Profile as well not only SAML like RADIUS/LDAP/Local Database, next commit the changes to your firewall.

Configuration is complete.

Return to the main page .