Prisma Access
Configure Multiple Portals in Prisma Access
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Enable Dynamic Privilege Access for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
-
- Onboard Prisma Access
-
4.0 & Later
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Set Up Prisma Access
- Configure the Prisma Access Service Infrastructure
- Remote Networks: IPSec Termination Nodes and Service IP Addresses
- Remote Networks: IP Address Changes Related To Bandwidth Allocation
- Remote Networks: Service IP Address and Egress IP Address Allocation
- API Examples for Retrieving Prisma Access IP Addresses
- Get Notifications When Prisma Access IP Addresses Change
- Prisma Access Zones
- DNS for Prisma Access
- High Availability for Prisma Access
-
- Enable ZTNA Connector
- Delete Connector IP Blocks
- Set Up Auto Discovery of Applications Using Cloud Identity Engine
- Private Application Target Discovery
- Security Policy for Apps Enabled with ZTNA Connector
- Monitor ZTNA Connector
- View ZTNA Connector Logs
- Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
-
- Enable Dynamic Privilege Access for Prisma Access Through Common Services
- Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
- Enable the Access Agent
- Set Up the Agent Infrastructure for Dynamic Privilege Access
- Create a Snippet
- Create a Project
- Traffic Steering for Dynamic Privilege Access
- Push the Prisma Access Agent Configuration
- Download the Dynamic Privilege Access Enabled Prisma Access Agent Package
-
- Install the Prisma Access Agent
- Log in to the Dynamic Privilege Access Enabled Prisma Access Agent
- Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location
- Switch to a Different Project
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server
- Disable the Dynamic Privilege Access Enabled Prisma Access Agent
- Switch Between the Prisma Access Agent and GlobalProtect App
- View and Monitor Dynamic Privilege Access Users
- View and Monitor Dynamic Privilege Access Projects
- App Acceleration in Prisma Access
-
-
- Planning Checklist for GlobalProtect on Prisma Access
- Set Up GlobalProtect Mobile Users
- GlobalProtect — Customize Tunnel Settings
- GlobalProtect — Customize App Settings
- Ticket Request to Disable GlobalProtect
- GlobalProtect Pre-Logon
- GlobalProtect — Clientless VPN
- Monitor GlobalProtect Mobile Users
- How the GlobalProtect App Selects Prisma Access Locations for Mobile Users
- Allow Listing GlobalProtect Mobile Users
-
- Explicit Proxy Configuration Guidelines
- GlobalProtect in Proxy Mode
- GlobalProtect in Tunnel and Proxy Mode
- Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
- SAML Authentication for Explicit Proxy
- Set Up Explicit Proxy
- Cloud Identity Engine Authentication for Explicit Proxy Deployments
- Proxy Mode on Remote Networks
- How Explicit Proxy Identifies Users
- Explicit Proxy Forwarding Profiles
- PAC File Guidelines
- Explicit Proxy Best Practices
- Monitor and Troubleshoot Explicit Proxy
- Block Settings for Explicit Proxy
- Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses
- Access Your Data Center Using Explicit Proxy
- App-Based Office 365 Integration with Explicit Proxy
- Configure Proxy Chaining with Blue Coat Proxy
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- DNS Resolution for Mobile Users—Explicit Proxy Deployments
- View User to IP Address or User Groups Mappings
- Report Mobile User Site Access Issues
- Enable Mobile Users to Access Corporate Resources
-
-
- Planning Checklist for Remote Networks
- Allocate Remote Network Bandwidth
- Onboard a Remote Network
- Connect a Remote Network Site to Prisma Access
- Enable Routing for Your Remote Network
- Onboard Multiple Remote Networks
- Configure Remote Network and Service Connection Connected with a WAN Link
- Remote Networks—High Performance
- Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server
-
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
- Add a New Compute Location for a Deployed Prisma Access Location
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Proxy Support for Prisma Access and Strata Logging Service
- Block Incoming Connections from Specific Countries
- Prisma Access for No Default Route Networks
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
- Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT
-
- Prisma Access Internal Gateway
-
- Configure Privileged Remote Access Settings
- Set Up the Privileged Remote Access Portal
- Configure Applications for Privileged Remote Access
- Set Up Privileged Remote Access Profiles
- Define Permissions for Accessing Privileged Remote Access Apps
- Configure Split Tunneling for Privileged Remote Access Traffic
- Manage Privileged Remote Access Connections
- Use Privileged Remote Access
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Configure Multiple Portals in Prisma Access
Learn how to configure multiple portals with multiple authentication
methods.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
You can configure two portals based on port numbers in the same Prisma Access tenant,
with each portal supporting a different authentication method. Enable this feature
to migrate mobile users from one authentication method to another without creating a
new Prisma Access tenant. This configuration enables greater authentication
flexibility by allowing you to gradually move users to cloud-based authentication,
without the need for a separate Prisma Access instance.
Prisma Access with GlobalProtect multiple portals uses a different port number for
each portal within the same tenant. Configure the first GlobalProtect portal using
the standard port 443. When you enable the multiple portal feature, Prisma Access
configures a second GlobalProtect portal using an alternative port 8443, and allows
connections to the second portal using the same FQDN as the first. The multiple
portals feature supports only two portals per FQDN.
When a user connects to the portal using port 443, the traffic is sent to the first
authentication portal with no change to the IP address. This flow is unchanged from
configurations without the GlobalProtect multiple portals feature. When a user
connects using port 8443, the traffic instead hits a destination NAT rule. This
leads the user to the second authentication portal at a different IP address. After
authenticating at either portal, the user is forwarded to the gateway with the
authentication override cookie. This feature depends on
the authentication override cookie settings, and are enabled for both portals and on
gateways.
The following table describes GlobalProtect multiple portals support with
combinations of authentication methods and certificates using legacy authentication
(such as RADIUS or LDAP) on the primary portal and cloud authentication (such as
SAML or SAML with CAS) on the secondary portal.
Primary Portal User Authentication | Secondary Portal User Authentication | Connection Method Options |
---|---|---|
Legacy, No certificate | Cloud, No certificate | User logon (always-on, on-demand) |
Legacy, <auth profile selection> AND Client Certificate
Note: Certificate profile must be the same.
|
Cloud, <auth profile selection> AND Client Certificate
Note: Certificate profile must be the same.
|
User logon (always-on, on-demand)
Pre-logon (always-on, on-demand)
|
Legacy, No certificate | Cloud, <auth profile selection> OR Client Certificate | User logon (always-on, on-demand) |
Legacy, <auth profile selection> OR Client Certificate
Multiple portal configurations don't support clients using only
client certificate for authentication
| Cloud, No certificate |
User logon (always-on, on-demand)
Pre-logon (always-on, on-demand), if certificate
|
Legacy, <auth profile selection> OR Client Certificate
Multiple portal configurations don't support clients using only
client certificate for authentication
|
Cloud, <auth profile selection> OR Client Certificate
Multiple portal configurations don't support clients using only
client certificate for authentication
|
User logon (always-on, on-demand)
Pre-logon (always-on, on-demand), if certificate
|
Ensure the following before you configure multiple portals:
- Both portals have the same certificate profiles or no certificate profiles
- Allowlist associated with the authentication profiles should be the same
- When you accept a cookie for authentication override on the portal, ensure the cookie lifetime is the same on the portal as well as on the gateway
- Multiple portal configurations don't support using only client certificate-based authentication
Clientless VPN is not supported
for use on the secondary portal in a multiple portal deployment; however, clientless
VPN works on the primary portal with your existing authentication method.
Configure Multiple Portals in Prisma Access (Strata Cloud Manager)
Learn how to configure multiple portals with multiple authentication methods in Prisma Access (Managed by Strata Cloud Manager).
- Contact the Palo Alto Networks support to activate this functionality.
- Configure a mobile user and the authentication method for it.
- Enable multiple portals for the same gateway.
- Select WorkflowsPrisma Access SetupGlobalProtectGlobalProtect SetupInfrastructure.
- Edit the Infrastructure Settings.
- Enable Multiple Portal for Multiple Authentication Methods.The new portal appears for the 8443 port for the same tenant. This portal inherits the configuration settings from the original port, which is port 443.
- Edit the portal configurations to update the authentication settings.You can edit only the portal's Authentication Settings and Certificate Profile authentication settings.If you use certificate-based authentication in both portals, ensure that both portals use the same client certificate profile for authentication.This feature enables the authentication override settings to generate cookie for both portals in the GlobalProtect app settings.This feature enables the authentication override settings to generate and accept cookie for both portals in the tunnel settings.
- Save all your changes and Push the configuration changes to Prisma Access.
- Add the portals manually or using endpoint management software in the GlobalProtect app.
- Verify if you can connect to both portals with different authentication profiles for the gateway.
- Log in to your Windows machine.
- Connect to the portals in your GlobalProtect app.When you change the connection between portals of different authentication methods, authenticate the user login.If the authentication cookie expires when you connect to the 8443 portal and switch to the manual gateway, GlobalProtect connects to the Best Available Gateway.If your GlobalProtect app uses cached portal configurations, fallback to portal does not work.
If you're using SAML-based authentication for the
secondary portal, enter the values as follows while integrating:
- Single sign on URL: Enter
https://Portal-FQDN:443/SAML20/SP/ACSPortal-FQDN is the FQDN for the Prisma Access portalUse portal 443 even if you have configured the secondary portal (8443).
- Audience URI (SP Entity ID): Enter https://Portal-FQDN:443/SAML20/SP
Configure Multiple Portals in Prisma Access (Panorama)
Learn how to configure multiple portals with multiple authentication methods in Prisma Access (Managed by Panorama).
- Contact your Palo Alto Networks account representative to activate this functionality.When configuring multiple GlobalProtect portals with Traffic Steering, do not configure Accept Default Routes over Service Connections (PanoramaCloud ServicesConfigurationTraffic SteeringSettingsAccept Default Route over Service Connection); if you do, mobile users cannot connect to the secondary portal.
- Configure a mobile user and the authentication method for it.
- Select Cloud ServicesConfigurationMobile Users—GlobalProtectSettingsAdvanced.
- Enable Multiple Portal for Multiple Authentication Methods.The new portal appears for the 8443 port for the same tenant. This portal inherits the configuration settings from the original port, which is port 443.
- Edit the portal configurations to update the authentication settings.
- Click the portal hyperlink or select PanoramaTemplatesNetworkGlobalProtectPortals and click the portal hyperlink.
- In the Authentication section, Add a Client Authentication with a different Authentication Profile.
You can edit only the Client Authentication and Certificate Profile authentication settings.If you use certificate-based authentication in both portals, ensure that the gateway doesn't have certificate-based authentication.This feature enables the authentication override settings to generate cookie for both portals in the GlobalProtect app settings.This feature enables the authentication override settings to generate and accept cookie for both portals in the tunnel settings. - Commit all your changes to Panorama and push the configuration changes to Prisma Access.
- Click CommitCommit and Push.
- Edit Selections and, in the Prisma Access tab, make sure that Mobile Users is selected in the Push Scope, then click OK.
- Click Commit and Push.
- Add the portals manually or using endpoint management software in the GlobalProtect app.
- Verify if you can connect to both portals with different authentication profiles for the gateway.
- Log in to your Windows machine.
- Connect to the portals in your GlobalProtect app.When you change the connection between portals of different authentication methods, authenticate the user login.If the authentication cookie expires when you connect to the 8443 portal and switch to the manual gateway, GlobalProtect connects to the Best Available Gateway.If your GlobalProtect app uses cached portal configurations, fallback to portal does not work.
- View logs for both portals in MonitorLogsGlobalProtect to see the portal and authentication information.
If you're using SAML-based authentication for the
secondary portal, enter the values as follows while integrating:
- Single sign on URL: Enter
https://Portal-FQDN:443/SAML20/SP/ACSPortal-FQDN is the FQDN for the Prisma Access portalUse portal 443 even if you have configured the secondary portal (8443).
- Audience URI (SP Entity ID): Enter https://Portal-FQDN:443/SAML20/SP