Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications
To protect critical applications and stop attackers from using stolen credentials to conduct lateral movement throughout your network, you can configure policy-based multi-factor authentication (MFA). This ensures that each user responds to multiple authentication challenges of different types (factors) before they can access highly sensitive services and applications.
If a user session matches the Authentication policy, the type of application or service determines the user experience for notifications about the authentication challenge:
- (Windows or Mac endpoints only) Non-browser-based applications—To facilitate MFA notifications for non-HTTP applications (such as Perforce) on Windows or Mac endpoints, a GlobalProtect client is required. When a session matches an Authentication policy rule, the firewall sends a UDP notification to the GlobalProtect client with an embedded URL link to the Authentication Portal page. The GlobalProtect client then displays this message as a pop up notification to the user.
- Browser-based applications—Browser-based applications do not require GlobalProtect to display notification messages to the user. When the firewall identifies a session as web-browsing traffic (based on App-ID), the firewall automatically presents the user with Authentication Portal page (previously called the Captive Portal page) specified in the Authentication policy rule. For more information, see Configure Multi-Factor Authentication.
To configure GlobalProtect to display MFA notifications for non-browser-based applications, use the following workflow:
- Before you configure GlobalProtect, configure
multi-factor authentication on the firewall.If you are using two-factor authentication with GlobalProtect to authenticate to the gateway or portal, a RADIUS server profile is required. If you are using GlobalProtect to notify the user about an authentication policy match (UDP message), a Multi Factor Authentication server profile is sufficient.To use multi-factor authentication for protecting sensitive resources, the easiest solution is to integrate the firewall with an MFA vendor that is already established in your network. When your MFA structure is ready, you can start configuring the components of your authentication policy. For more information, refer to Configure Multi-Factor Authentication.
- Enable Captive Portal to record authentication timestamps and update user mappings.
- Create server profiles that define how the firewall will connect to the services that authenticate users.
- Assign the server profiles to an Authentication profile which specifies authentication parameters.
- Configure a Security policy rule that allows users to access the resources that require authentication.
- (External gateways only) For GlobalProtect to
support multi-factor authentication on external gateways, you must Configure a response page for
the ingress tunnel interface on the firewall:
- Select DeviceResponse PagesMFA Login Page.
- Select and then Export the Predefined template to a location of your choice.
- On your client system, use an HTML editor to customize the downloaded response page and save it with a unique filename.
- Return to the MFA Login Page dialog on the firewall, Import your customized page, Browse to select the Import File, select the Destination (virtual system or shared location), click OK, and click Close.
- (External gateways only) Enable Response
Pages as a permitted service on the Interface
- Select NetworkNetwork ProfilesInterface Mgmt and then select the profile.
- In the Permitted Services area, select Response Pages and click OK.
- (External gateways only) Attach the Interface
Mgmt profile to a tunnel interface:
- Select NetworkInterfacesTunnel, and the tunnel interface on which you want to use the response page.
- Select Advanced, and then select the Interface Mgmt profile you configured in the previous step as the Management Profile.
- (External gateways only) Enable User Identification on the Zone associated with the tunnel interface (NetworkZones<tunnel-zone).
- Configure GlobalProtect clients to support multi-factor
authentication notifications for non-browser-based applications.
- Select NetworkGlobalProtectPortals and select a portal configuration (or Add one).
- Select Agent and then select an existing agent configuration or Add one.
- In the App tab, specify the
- Set Enable Inbound Authentication Prompts from MFA Gateways to Yes. To support multi-factor authentication (MFA), a GlobalProtect client must receive and acknowledge UDP prompts that are inbound from the gateway. Select Yes to enable a GlobalProtect client to receive and acknowledge the prompt. By default, the value is set to No meaning GlobalProtect will block UDP prompts from the gateway.
- In Network Port for Inbound Authentication Prompts (UDP), specify the port number a GlobalProtect client uses to receive inbound authentication prompts from MFA gateways. The default port is 4501. To change the port, specify a number from 1 to 65535.
- In Trusted MFA Gateways, specify the list of authentication gateways a GlobalProtect client will trust for multi-factor authentication. When a GlobalProtect client receives a UDP message on the specified network port, GlobalProtect displays an authentication message only if the UDP prompt comes from a trusted gateway.
- Configure the Default Message for Inbound Authentication Prompts. When users try to access a resource that requires additional authentication, GlobalProtect receives a UDP packet containing the inbound authentication prompt and displays this message. The UDP packet also contains the URL for the Authentication Portal page you specified in Configure Multi-Factor Authentication. GlobalProtect automatically appends the URL to the message. For example, to display the notification shown in the beginning of this topic enter the following message:You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at:
- Save the agent configuration (click OK twice), and then Commit your changes.
Authentication Policy and Multi-Factor Authentication for G...
Authentication Policy and Multi-Factor Authentication for GlobalProtect You can now leverage the new Authentication Features within GlobalProtect to support access to non-browser-based applications that require ...
Configure Multi-Factor Authentication
Configure Multi-Factor Authentication To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for ...
Multi-Factor Authentication You can Configure Multi-Factor Authentication (MFA) to ensure that each user authenticates using multiple methods (factors) when accessing highly sensitive services and applications. ...
Authentication The GlobalProtect™ portal and gateway must authenticate the end-user before it allows access to GlobalProtect resources. You must configure authentication mechanisms before continuing with ...
Authentication Policy and Multi-Factor Authentication
Authentication Policy and Multi-Factor Authentication To protect services and applications from attackers, you can use the new Authentication policy to control access for end users. ...
Device > User Identification > Captive Portal Settings
Device > User Identification > Captive Portal Settings Edit ( ) the Captive Portal Settings to configure the firewall to authenticate users whose traffic matches ...
Customize the GlobalProtect Agent
Customize the GlobalProtect Agent The portal agent configuration allows you to customize how your end users interact with the GlobalProtect agents installed on their systems ...
Objects > Authentication
Objects > Authentication An authentication enforcement object specifies the method and service to use for authenticating end users who access your network resources. You assign ...
Multi-Factor Authentication for Non-Browser-Based Applications
Multi-Factor Authentication for Non-Browser-Based Applications ( Windows and Mac only ) For sensitive, non-browser-based network resources (for example, financial applications or software development applications) that ...