Set Up Palo Alto Networks Firewall Authentication
Create a Palo Alto Networks Firewall record in order to authenticate to a firewall instance. Palo Alto authentication is supported for vulnerability scans and compliance scans using Qualys apps VM, PA, SCA.
Which technologies are supported?
For the most current list of supported authentication technologies and the versions that have been certified for VM and PA by record type, please refer to the following article:
Authentication Technologies Matrix
What login credentials are required?
- The user account you provide for authentication must either have the predefined role "Superuser (read-only)" or a custom role with these XML API privileges enabled: Configuration and Operational Requests.
- We use the PAN-OS XML API to retrieve system information from Palo Alto Firewall on port 443 so this port must be open.
How do I get started?
- Go to Scans > Authentication.
- Go to New > Network and Security > Palo Alto Networks Firewall.
- Provide basic login credentials (username and password) or get your password from a supported password vault.
Vault support
We support integration with multiple third party password vaults. Just go to Scans > Authentication > Vaults and tell us about your vault system. Then choose Authentication Vault in your record and select your vault name. At scan time, we'll authenticate to hosts using the account name in your record and the password we find in your vault.
Using BeyondTrust PBPS vault? You must directly enter the system name in the Palo Alto Networks Firewall record because auto-discovery of the system name is not supported for this authentication type. Also, if the vault account name for which we need to query a password is different from the username defined in the Palo Alto Networks Firewall record, then it needs to be directly entered in the Account Name field. Learn more
Tell me about SSL Verify
By default, the scanner will verify the SSL certificate used by the Palo Alto Networks device to make sure the certificate is valid and trusted. You may want to clear this option to skip SSL verification if the device is not configured with a certificate, the certificate was not issued by a well-known certificate authority (CA) or the certificate is self-signed.
Which IPs should I add to my record?
Select the target hosts (IPs) to authenticate to. Each IP may be included in one Palo Alto Networks Firewall record.
Do you have Tag Support enabled?
If your subscription has Tag Support for Authentication Records enabled, then you'll see additional options for specifying hosts using asset tags. Choose an asset type and then provide IPs or tags to the record. Your asset type options are: IPs/Ranges, IP Range in Tag Rule and Asset Tags.
For domain level authentication, you can only add assets when the domain type is NetBIOS, User-Selected IPs. The Assets section is disabled when the domain type is NetBIOS, Service-Selected IPs, or Active Directory.
Asset Type: IPs/Ranges
Use this option to add IP addresses/ranges to the record. Enter the IP addresses/ranges in the field provided.
Asset Type: IP Range in Tag Rule
Use this option to add tags that have IP address ranges defined in the tag rule. All IP addresses defined in the tag rule will be associated with the record, including IPs that don’t already have the tag assigned. Click Add Tag to pick tags to include or exclude. Note that only tags with the dynamic tag rule “IP Address in Range(s)” will be available in the tag selector.
Asset Type: Asset Tags
Use this option to add tags to the record for the assets you want included. IP addresses with the selected tags already assigned will be associated with the record. Click Add Tag to pick tags to include or exclude.
Learn more about tag support for authentication records