configuration file - lithnet/pan-ra-proxy GitHub Wiki
After installation of the proxy service, in order to complete the configuration, you will need to find and edit the configuration file using your text editor of choice.
The configuration file is located in the installation folder, by default, in the following path.
C:\Program Files\Lithnet\PAN RA Proxy\Lithnet.Pan.RAProxy.exe.config
In order to complete the configuration, you will need the following information
- The host name of the PA firewall
- An API key for a user who has permission to submit user-id updates to the firewall using the XML API
- The host names or IP addresses of the remote RADIUS servers that will be sending the RADIUS accounting information
- A shared secret for each remote RADIUS server that will be sending the RADIUS accounting information
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<configSections>
<section name="ra-proxy-config" type="Lithnet.Pan.RAProxy.RAProxyConfigurationSection,Lithnet.Pan.RAProxy" />
</configSections>
<ra-proxy-config debug-enabled="true" username-filter="">
<pan-api-endpoints disable-certificate-validation="true" batch-size="200" batch-wait="50">
<pan-api-endpoint url="https://test-fw/api/" api-key="LUFRPT1Oa1lhZVlvT2JTckhTY2pRcVpiOStnRkF3OEk9WlR5NENPNEE3MGVFcVRtQ1JLTldSWGtkdC9EcVhRc3VDTW41b0R3eGlHVT0" />
</pan-api-endpoints>
<username-rewrites output-format="nt4">
<username-rewrite match="^([^\.\@\\]+)$" replace="domain\$1"/>
<username-rewrite match="^(.+)@domain.local$" replace="domain\$1"/>
</username-rewrites>
<radius-servers>
<radius-server host="127.0.0.1" secret="test"/>
<radius-server host="myhost" secret="test"/>
</radius-servers>
<radius-client accounting-port="1813"/>
</ra-proxy-config>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6" />
</startup>
</configuration>| Setting | Default value | Description |
|---|---|---|
| debug-enabled | false | Indicates whether debug messages should be logged to the event log |
| username-filter | null | If specified, contains a regular expression that can be used to filter and discard incoming accounting messages based on the username |
| Setting | Default value | Description |
|---|---|---|
| disable-certificate-validation | false | Disables validation of the certificate on the Palo Alto firewall API endpoint. Should be used only for troubleshooting purposes |
| batch-size | 200 | Specifies the maximum number of user-id updates to send in a single message to the firewall |
| batch-wait | 50 | Specifies the maximum amount of time (in milliseconds) to wait for a full batch up to the amount of batch-size, before sending whatever updates are in the queue. A batch will be submitted either when batch-size is reached, or when the batch-wait time is exceeded |
A pan-api-endpoint element should be created for each firewall in a redundant configuration. If one endpoint is down, the service will fail over to the next endpoint in the list. The firewalls must be participating in the same farm, and this cannot be used to update multiple different firewall sets.
| Setting | Description |
|---|---|
| url | The URL endpoint |
| api-key | The API key issued from the firewall |
The API key can be obtained using the following command. See the PA firewall documentation for more information
https://firewall/api/?type=keygen&user=username&password=password
A pan-api-endpoint element should be created for each firewall in a redundant configuration. If one endpoint is down, the service will fail over to the next endpoint in the list. The firewalls must be participating in the same farm, and this cannot be used to update multiple different firewall sets.
| Setting | Description |
|---|---|
| url | The URL endpoint |
| api-key | The API key issued from the firewall |
The API key can be obtained using the following command. See the PA firewall documentation for more information
https://firewall/api/?type=keygen&user=username&password=password
This section contains one or more <username-rewrite> elements. Username rewrites allow you to transform the incoming username and standardize them for the firewall. Other PAN agents commonly submit the username in DOMAIN\username format, so for consistency, you can normalize incoming usernames into that format.
| Setting | Description |
|---|---|
| output-format | Forces the agent to look up the incoming username in Active Directory, and output it in the NT-format (domain\username) when set to nt4 or the UPN (user@domain) when set to upn. This option allows you to provide the PAN with a consistent username format, regardless of the username forat that the user logged in with |
| Setting | Description |
|---|---|
| match | A regular expression pattern to match the username to |
| replace | A regular expression replacement pattern |
Any .NET regular expression patterns are valid. You can test regular expressions using a tool such as Regex Storm
Each RADIUS server that will be submitting accounting updates to this service need to be configured with a separate <radius-server> element.
| Setting | Default value | Description |
|---|---|---|
| accounting-port | 1813 | This setting allows you to change the port that the proxy listens on. This is useful if you want to run the proxy service on the same host as an NPS server that is also listening for accounting requests |