GlobalProtect User Authentication
Focus
Focus
GlobalProtect

GlobalProtect User Authentication

Table of Contents

GlobalProtect User Authentication

Learn about the different ways you can authenticate users with GlobalProtect.
The first time a GlobalProtect app connects to the portal, the user is prompted to authenticate to the portal. If authentication succeeds, the GlobalProtect portal sends the GlobalProtect configuration, which includes the list of gateways to which the app can connect, and optionally a client certificate for connecting to the gateways. After successfully downloading and caching the configuration, the app attempts to connect to one of the gateways specified in the configuration. Because these components provide access to your network resources and settings, they also require the end user to authenticate. The appropriate security level required on the portal and gateways varies with the sensitivity of the resources that the gateway protects. GlobalProtect provides a flexible authentication framework that allows you to choose the authentication profile and certificate profile that are appropriate to each component. GlobalProtect provides the following authentication methods:
  • Local Authentication
    —Both the user account credentials and the authentication mechanisms are local to the firewall. This authentication mechanism isn't scalable because it requires an account for every GlobalProtect user and is, therefore, advisable for small deployments only.
  • External Authentication
    —User authentication functions are performed by external LDAP, Kerberos, TACACS+, SAML, or RADIUS services (including support for two-factor, token-based authentication mechanisms, such as one-time password (OTP) authentication). To Set Up External Authentication you must create a server profile with settings for access to the external authentication service, create an authentication profile that refers to the server profile, and specify client authentication in the portal and gateway configurations. As an optional step, you can specify the OS of the endpoint that will use these settings. You can use different authentication profiles for each GlobalProtect component.
  • Client Certificate Authentication
    —For enhanced security, you can configure the portal or gateway to use a client certificate to obtain the username and authenticate the user before granting access to the system. GlobalProtect also supports authentication by common access cards (CACs) and smart cards, which rely on a certificate profile. With these cards, the certificate profile must contain the root CA certificate that issued the certificate to the smart card or CAC.
  • Two-Factor Authentication
    —With two-factor authentication, the portal or gateway authenticates users through two mechanisms, such as a one-time password (OTP) and Active Directory (AD) login credentials. You can enable two-factor authentication by configuring and adding both a certificate profile and authentication profile to the portal and gateway configuration. You can configure the portal and gateways to use either the same authentication method or different authentication methods. Regardless, users must successfully authenticate through the two mechanisms that the component demands before they can gain access to the network resources.
  • (
    Windows and macOS only
    )
    Multi-Factor Authentication for Non-Browser-Based Applications
    —For sensitive, non-browser-based network resources (for example, financial applications or software development applications) that may require additional authentication, the GlobalProtect app can notify and prompt the user to perform the timely, multi-factor authentication required to access these resources.
  • (
    Windows and macOS only
    )
    Single Sign-On
    —With single sign-on (SSO), which is enabled by default, the GlobalProtect app uses the user’s OS login credentials to automatically authenticate and connect to the GlobalProtect portal and gateway. You can also configure the app to wrap third-party credentials to ensure that Windows users can authenticate and connect using a third-party credential provider.
  • (
    Prisma Access only
    )
    Cloud Identity Engine
    —The Cloud Identity Engine provides both user identification and user authentication for mobile users in a Panorama Managed Prisma Access—GlobalProtect deployment. Using the Cloud Identity Engine for user authentication and username-to-user group mapping allows you to write security policy based on users and groups, not IP addresses, and helps secure your assets by enforcing behavior-based security actions. By continually syncing the information from your directories, the Cloud Identity Engine ensures that your user information is accurate and up to date and policy enforcement continues based on the mappings even if the SAML identity provider (IdP) is temporarily unavailable. Prisma Access users must be running GlobalProtect app 6.0 or later with a Prisma Access Innovation release 3.0 or later.

Recommended For You