From SAASYAN docs
Jump to: navigation, search

Assure Overrides Deployment Guide

Create LDAP service account

  • Create an LDAP service account in AD (can be called svc_assure for easy identification). It should be able to query AD users and group memberships.

Create AD groups

  • Create a security group in AD (can be called Assure_Admins for easy identification) and populate it with the users who need to have administrative privileges on Assure Overrides.
  • Create a security group in AD per student group (the group name can be prefixed with Assure_ for easy identification). These groups will be used to grant privileges over different student groups. Users placed in these groups will be allowed to log on to Assure Overrides and have access to the corresponding student groups. Refer to section 1.8.4 below for instructions on how to achieve this.

Generate API key

  • Generate an API key on the Palo Alto Networks Next Generation Firewall using the steps below. This API key will be used by Assure Overrides to programatically create/remove the override rules.
  • To generate the key, you must construct a URL request using the user credentials as follows. Note that the user should have enough permissions to create security rules and custom categories using the API.
http(s)://hostname/api/?type=keygen&user=username&password=password
  • Make sure that special characters in the password are URL/percent-encoded.
  • The result with be an XML block that contains the key. It should look like the following:
API key generation.png
  • The key must be URL encoded when used in HTTP requests. The key generation operation uses the master key for generating keys. If you have not changed the master key from the default, all firewalls with the same username/password will return the same key. You must change the master key on the device if you want different keys returned for the same username/password combination on two different devices.
  • To revoke or change the key, change the password with the associated admin account. As a best practice, set up a separate privileged account for XML API access.

Assure Overrides Virtual Appliance

Deploy the virtual appliance provided to you by Saasyan into your environment, make sure you set the network adapter's device status to connected and start the VM.

Assure Overrides Virtual Appliance Management Console

Once the virtual appliance is deployed and started, use the provided login credentials to logon to its console. The Assure Collector management console will launch and you will have the below screen. Press OK to continue.

C1.png

You can perform several actions, as per below. You can either type the number or use the arrow keys to move up and down to select the desired action.

C2.png

Interface Configuration

C3.png

Select the interface ens32 and you will have two options

C4.png

Select Static IP and enter the needed values for the static IP configuration. Make sure the DNS Nameservers are space separated

C5.png

Assure Overrides Web Interface

Launch your Web browser and use the IP address to access Assure Overrides. Use the appliance admin account details (assure_adm with the provided password) to login.

Saova login.png

Appliance Registration

The first step will be to register the appliance using your licence key.

Saova control-panel.png

Once you enter a valid license key, you will be able to use your appliance and proceed with the configuration.

Saova register-appliance.png
  • The Palo Alto NGF certificate must be uploaded for the appliance to trust the self signed certificate on the Palo Alto NGF. Optionally, you can upload your certificate and private key to be used on the Assure Overrides web interface.
  • You can also set Assure Overrides to display your logo by uploading a PNG file (with 45px height).

Appliance Admin Section

You can use the different sections in the Admin menu to perform your configurations.

Saova admin-menu.png

Change Appliance Admin Password

Before any other settings, it's advisable to use the Change Appliance Admin Password page to change the password for assure_adm.

Saova appliance-admin.png

Parameters

Most parameters used by Assure Overrides can be configured using the Parameters page. You can click on the value to edit it.

Saova parameters-1.png
Saova parameters-2.png

Groups

Using the Groups page, add the required student groups (as per your AD) along with their respective Assure groups you had created in your AD (step 1.2). If a user is not a member of at least one Assure group, he / she will not be able to login to Assure Overrides.

Saova groups.png