Prisma Access
Configure Multiple Portals in Prisma Access
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Configure Multiple Portals in Prisma Access
Prisma Access
Learn how to configure multiple portals with multiple authentication
methods.
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
You can configure two portals based on port numbers in the same
Prisma Access
tenant,
with each portal supporting a different authentication method. Enable this feature
to migrate mobile users from one authentication method to another without creating a
new Prisma Access
tenant. This configuration enables greater authentication
flexibility by allowing you to gradually move users to cloud-based authentication,
without the need for a separate Prisma Access
instance.Prisma Access
with GlobalProtect multiple portals uses a different port number for
each portal within the same tenant. Configure the first GlobalProtect portal using
the standard port 443. When you enable the multiple portal feature, Prisma Access
configures a second GlobalProtect portal using an alternative port 8443, and allows
connections to the second portal using the same FQDN as the first. The multiple
portals feature supports only two portals per FQDN.When a user connects to the portal using port 443, the traffic is sent to the first
authentication portal with no change to the IP address. This flow is unchanged from
configurations without the GlobalProtect multiple portals feature. When a user
connects using port 8443, the traffic instead hits a destination NAT rule. This
leads the user to the second authentication portal at a different IP address. After
authenticating at either portal, the user is forwarded to the gateway with the
authentication override cookie. This feature depends on
the authentication override cookie settings, and are enabled for both portals and on
gateways.
The following table describes GlobalProtect multiple portals support with
combinations of authentication methods and certificates using legacy authentication
(such as RADIUS or LDAP) on the primary portal and cloud authentication (such as
SAML or SAML with CAS) on the secondary portal.
Primary Portal User Authentication | Secondary Portal User Authentication | Connection Method Options |
---|---|---|
Legacy, No certificate | Cloud, No certificate | User logon (always-on, on-demand) |
Legacy, <auth profile selection> AND Client Certificate Note: Certificate profile must be the same. | Cloud, <auth profile selection> AND Client Certificate Note: Certificate profile must be the same. | User logon (always-on, on-demand) Pre-logon (always-on, on-demand) |
Legacy, No certificate | Cloud, <auth profile selection> OR Client Certificate | User logon (always-on, on-demand) |
Legacy, <auth profile selection> OR Client Certificate Multiple portal configurations don't support clients using only
client certificate for authentication | Cloud, No certificate | User logon (always-on, on-demand) Pre-logon (always-on, on-demand), if certificate |
Legacy, <auth profile selection> OR Client Certificate Multiple portal configurations don't support clients using only
client certificate for authentication | Cloud, <auth profile selection> OR Client Certificate Multiple portal configurations don't support clients using only
client certificate for authentication | User logon (always-on, on-demand) Pre-logon (always-on, on-demand), if certificate |
Ensure the following before you configure multiple portals:
- Both portals have the same certificate profiles or no certificate profiles
- Allowlist associated with the authentication profiles should be the same
- When you accept a cookie for authentication override on the portal, ensure the cookie lifetime is the same on the portal as well as on the gateway
- Multiple portal configurations don't support using only client certificate-based authentication
Cloud Management
Cloud Management
Learn how to configure multiple portals with multiple authentication methods in
Prisma Access (Managed by Strata Cloud Manager)
.- Contact the Palo Alto Networks support to activate this functionality.
- Configure a mobile user and the authentication method for it.
- Enable multiple portals for the same gateway.
- Select.SettingsPrisma AccessSetupGlobalProtectInfrastructureIf you're using Strata Cloud Manager, select.WorkflowsPrisma AccessSetupGlobalProtectGlobalProtect SetupInfrastructure
- Edit theInfrastructure Settings.
- Enable Multiple Portal for Multiple Authentication Methods.The new portal appears for the 8443 port for the same tenant. This portal inherits the configuration settings from the original port, which is port 443.
- Edit the portal configurations to update the authentication settings.You can edit only the portal'sAuthentication SettingsandCertificate Profileauthentication settings.If you use certificate-based authentication in both portals, ensure that both portals use the same client certificate profile for authentication.This feature enables the authentication override settings to generate cookie for both portals in the GlobalProtect app settings.This feature enables the authentication override settings to generate and accept cookie for both portals in the tunnel settings.
- Save all your changes andPushthe configuration changes toPrisma Access.
- Add the portals manually or using endpoint management software in the GlobalProtect app.
- Verify if you can connect to both portals with different authentication profiles for the gateway.
- Log in to your Windows machine.
- Connect to the portals in your GlobalProtect app.When you change the connection between portals of different authentication methods, authenticate the user login.If the authentication cookie expires when you connect to the 8443 portal and switch to the manual gateway, GlobalProtect connects to theBest Available Gateway.If your GlobalProtect app uses cached portal configurations, fallback to portal does not work.
If you're using SAML-based authentication for the
secondary portal, enter the values as follows while integrating:
- Single sign on URL: Enterhttps://Portal-FQDN:443/SAML20/SP/ACSPortal-FQDNis the FQDN for thePrisma AccessportalUse portal443even if you have configured the secondary portal (8443).
- Audience URI (SP Entity ID): Enterhttps://Portal-FQDN:443/SAML20/SP
Panorama
Panorama
Learn how to configure multiple portals with multiple authentication methods in
Prisma Access (Managed by Panorama)
.- Contact your Palo Alto Networks account representative to activate this functionality.When configuring multiple GlobalProtect portals with Traffic Steering, do not configureAccept Default Routes over Service Connections(); if you do, mobile users cannot connect to the secondary portal.PanoramaCloud ServicesConfigurationTraffic SteeringSettingsAccept Default Route over Service Connection
- Configure a mobile user and the authentication method for it.
- Select.Cloud ServicesConfigurationMobile Users—GlobalProtectSettingsAdvanced
- Enable Multiple Portal for Multiple Authentication Methods.The new portal appears for the 8443 port for the same tenant. This portal inherits the configuration settings from the original port, which is port 443.
- Edit the portal configurations to update the authentication settings.
- Click the portal hyperlink or selectand click the portal hyperlink.PanoramaTemplatesNetworkGlobalProtectPortals
- In theAuthenticationsection,AddaClient Authenticationwith a differentAuthentication Profile.
You can edit only theClient AuthenticationandCertificate Profileauthentication settings.If you use certificate-based authentication in both portals, ensure that the gateway doesn't have certificate-based authentication.This feature enables the authentication override settings to generate cookie for both portals in the GlobalProtect app settings.This feature enables the authentication override settings to generate and accept cookie for both portals in the tunnel settings. - Commit all your changes to Panorama and push the configuration changes toPrisma Access.
- Click.CommitCommit and Push
- Edit Selectionsand, in thePrisma Accesstab, make sure thatMobile Usersis selected in thePush Scope, then clickOK.
- ClickCommit and Push.
- Add the portals manually or using endpoint management software in the GlobalProtect app.
- Verify if you can connect to both portals with different authentication profiles for the gateway.
- Log in to your Windows machine.
- Connect to the portals in your GlobalProtect app.When you change the connection between portals of different authentication methods, authenticate the user login.If the authentication cookie expires when you connect to the 8443 portal and switch to the manual gateway, GlobalProtect connects to theBest Available Gateway.If your GlobalProtect app uses cached portal configurations, fallback to portal does not work.
- View logs for both portals into see the portal and authentication information.MonitorLogsGlobalProtect
If you're using SAML-based authentication for the
secondary portal, enter the values as follows while integrating:
- Single sign on URL: Enterhttps://Portal-FQDN:443/SAML20/SP/ACSPortal-FQDNis the FQDN for thePrisma AccessportalUse portal443even if you have configured the secondary portal (8443).
- Audience URI (SP Entity ID): Enterhttps://Portal-FQDN:443/SAML20/SP