Learn about the different ways you can authenticate users
The first time a GlobalProtect app connects
to the portal, the user is prompted to authenticate to the portal.
If authentication succeeds, the GlobalProtect portal sends the GlobalProtect
configuration, which includes the list of gateways to which the
app can connect, and optionally a client certificate for connecting
to the gateways. After successfully downloading and caching the
configuration, the app attempts to connect to one of the gateways
specified in the configuration. Because these components provide
access to your network resources and settings, they also require
the end user to authenticate.The appropriate security level required
on the portal and gateways varies with the sensitivity of the resources
that the gateway protects. GlobalProtect provides a flexible authentication
framework that allows you to choose the authentication profile and
certificate profile that are appropriate to each component. GlobalProtect
provides the following authentication methods:
—Both the user account credentials
and the authentication mechanisms are local to the firewall. This
authentication mechanism is not scalable because it requires an
account for every GlobalProtect user and is, therefore, advisable
for only very small deployments.
—User authentication functions
are performed by external LDAP, Kerberos, TACACS+, SAML, or RADIUSservices
(including support for two-factor, token-based authentication mechanisms,
such as one-time password (OTP) authentication). To Set Up External Authenticationyou must
create a server profile with settings for access to the external
authentication service, create an authentication profile that refers
to the server profile, and specify client authentication in the
portal and gateway configurations and optionally specify the OS
of the endpoint that will use these settings. You can use different
authentication profiles for each GlobalProtect component.
Client Certificate Authentication
—For enhanced security,
you can configure the portal
or gateway to use a client certificate to obtain the username
and authenticate the user before granting access to the system.
GlobalProtect also supports authentication by common access cards
(CACs) and smart cards, which rely on a certificate profile. With
these cards, the certificate profile must contain the root CA certificate
that issued the certificate to the smart card or CAC.
—With two-factor authentication,
the portal or gateway authenticates users through two mechanisms,
such as a one-time password (OTP) and Active Directory (AD) login
credentials. You can enable two-factor
authentication by configuring and adding both a certificate
profile and authentication profile to the portal and/or gateway
configuration. You can configure the portal and gateways to use
either the same authentication method or different authentication
methods. Regardless, users must successfully authenticate through
the two mechanisms that the component demands before they can gain
access to the network resources.
Windows and macOS only
for Non-Browser-Based Applications
single sign-on (SSO), which is enabled by default, the GlobalProtect
app uses the user’s OS login credentials to automatically authenticate
and connect to the GlobalProtect portal and gateway. You can also
configure the app to wrap third-party
credentials to ensure that Windows users can authenticate
and connect using a third-party credential provider.
Prisma Access only
Cloud Identity Engine
Cloud Identity Engine provides both user identification and user authentication for mobile users
in a Panorama Managed Prisma Access—GlobalProtect deployment.
Using the Cloud Identity Engine for user authentication and username-to-user
group mapping allows you to write security policy based on users
and groups, not IP addresses, and helps secure your assets by enforcing
behavior-based security actions. By continually syncing the information
from your directories, the Cloud Identity Engine ensures that your
user information is accurate and up to date and policy enforcement
continues based on the mappings even if the SAML identity provider
(IdP) is temporarily unavailable. Prisma Access users must be running
GlobalProtect app 6.0 or later with a Prisma Access Innovation release
3.0 or later.