Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
GlobalProtect
GlobalProtect Administrator's Guide
Authentication
About GlobalProtect User Authentication
Supported GlobalProtect Authentication Methods
Two-Factor Authentication

Last Updated:

Fri Sep 16 22:47:41 UTC 2022

Current Version:

9.1

Version 9.1

Table of Contents

Filter

GlobalProtect Overview

About the GlobalProtect Components

What OS Versions are Supported with GlobalProtect?

About GlobalProtect Licenses

Get Started

Create Interfaces and Zones for GlobalProtect

Enable SSL Between GlobalProtect Components

About GlobalProtect Certificate Deployment

GlobalProtect Certificate Best Practices

Deploy Server Certificates to the GlobalProtect Components

Authentication

About GlobalProtect User Authentication

Supported GlobalProtect Authentication Methods

Local Authentication

External Authentication

Client Certificate Authentication

Two-Factor Authentication

Multi-Factor Authentication for Non-Browser-Based Applications

Single Sign-On

How Does the App Know What Credentials to Supply?

Cookie Authentication on the Portal or Gateway

Credential Forwarding to Some or All Gateways

How Does the App Know Which Certificate to Supply?

Set Up External Authentication

Set Up LDAP Authentication

Set Up SAML Authentication

Set Up Kerberos Authentication

Set Up RADIUS or TACACS+ Authentication

Set Up Client Certificate Authentication

Deploy Shared Client Certificates for Authentication

Deploy Machine Certificates for Authentication

Deploy User-Specific Client Certificates for Authentication

Enable Certificate Selection Based on OID

Set Up Two-Factor Authentication

Enable Two-Factor Authentication Using Certificate and Authentication Profiles

Enable Two-Factor Authentication Using One-Time Passwords (OTPs)

Enable Two-Factor Authentication Using Smart Cards

Enable Two-Factor Authentication Using a Software Token Application

Set Up Authentication for strongSwan Ubuntu and CentOS Endpoints

Enable Authentication Using a Certificate Profile

Enable Authentication Using an Authentication Profile

Enable Authentication Using Two-Factor Authentication

Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications

Enable Delivery of VSAs to a RADIUS Server

Enable Group Mapping

GlobalProtect Gateways

GlobalProtect Gateways Overview

GlobalProtect Gateway Concepts

Types of Gateways

Gateway Priority in a Multiple Gateway Configuration

GlobalProtect MIB Support

Prerequisite Tasks for Configuring the GlobalProtect Gateway

Configure a GlobalProtect Gateway

Split Tunnel Traffic on GlobalProtect Gateways

Configure a Split Tunnel Based on the Access Route

Configure a Split Tunnel Based on the Domain and Application

Exclude Video Traffic from the GlobalProtect VPN Tunnel

GlobalProtect Portals

GlobalProtect Portal Overview

Prerequisite Tasks for Configuring the GlobalProtect Portal

Set Up Access to the GlobalProtect Portal

Define the GlobalProtect Client Authentication Configurations

Define the GlobalProtect Agent Configurations

Customize the GlobalProtect App

Customize the GlobalProtect Portal Login, Welcome, and Help Pages

Enforce GlobalProtect for Network Access

GlobalProtect Apps

Deploy the GlobalProtect App to End Users

Download the GlobalProtect App Software Package for Hosting on the Portal

Host App Updates on the Portal

Host App Updates on a Web Server

Test the App Installation

Download and Install the GlobalProtect Mobile App

Deploy App Settings Transparently

Customizable App Settings

App Display Options

User Behavior Options

App Behavior Options

Script Deployment Options

Deploy App Settings to Windows Endpoints

Deploy App Settings in the Windows Registry

Deploy App Settings from Msiexec

Deploy Scripts Using the Windows Registry

Deploy Scripts Using Msiexec

SSO Wrapping for Third-Party Credential Providers on Windows Endpoints

Enable SSO Wrapping for Third-Party Credentials with the Windows Registry

Enable SSO Wrapping for Third-Party Credentials with the Windows Installer

Deploy App Settings to macOS Endpoints

Deploy App Settings in the macOS Plist

Deploy Scripts Using the macOS Plist

GlobalProtect Clientless VPN

Clientless VPN Overview

Supported Technologies

Configure Clientless VPN

Troubleshoot Clientless VPN

Mobile Device Management

Mobile Device Management Overview

Set Up the MDM Integration With GlobalProtect

Qualified MDM Vendors

Manage the GlobalProtect App Using Workspace ONE

Deploy the GlobalProtect Mobile App Using Workspace ONE

Deploy the GlobalProtect App for Android on Managed Chromebooks Using Workspace ONE

Configure Workspace ONE for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using Workspace ONE

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Workspace ONE

Configure a Per-App VPN Configuration for iOS Endpoints Using Workspace ONE

Configure Workspace ONE for Windows 10 UWP Endpoints

Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure a User-Initiated Remote Access VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure a Per-App VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure Workspace ONE for Android Endpoints

Configure a Per-App VPN Configuration for Android Endpoints Using Workspace ONE

Enable App Scan Integration with WildFire

Manage the GlobalProtect App Using Microsoft Intune

Deploy the GlobalProtect Mobile App Using Microsoft Intune

Configure Microsoft Intune for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure Microsoft Intune for Windows 10 UWP Endpoints

Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Microsoft Intune

Configure a Per-App VPN Configuration for Windows 10 UWP Endpoints Using Microsoft Intune

Manage the GlobalProtect App Using MobileIron

Deploy the GlobalProtect Mobile App Using MobileIron

Configure MobileIron for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using MobileIron

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using MobileIron

Configure a Per-App VPN Configuration for iOS Endpoints Using MobileIron

Configure MobileIron for Android Endpoints

Configure an Always On VPN Configuration for Android Endpoints Using MobileIron

Manage the GlobalProtect App Using Google Admin Console

Deploy the GlobalProtect App for Android on Managed Chromebooks Using the Google Admin Console

Configure Google Admin Console for Android Endpoints

Configure an Always On VPN Configuration for Chromebooks Using the Google Admin Console

Suppress Notifications on the GlobalProtect App for macOS Endpoints

Enable Kernel Extensions in the GlobalProtect App for macOS Endpoints

Enable System Extensions in the GlobalProtect App for macOS Endpoints

Manage the GlobalProtect App Using Other Third-Party MDMs

Configure the GlobalProtect App for iOS

Example: GlobalProtect iOS App Device-Level VPN Configuration

Example: GlobalProtect iOS App App-Level VPN Configuration

Configure the GlobalProtect App for Android

Example: Set VPN Configuration

Example: Remove VPN Configuration

GlobalProtect for IoT Devices

GlobalProtect for IoT Requirements

Configure the GlobalProtect Portals and Gateways for IoT Devices

Install GlobalProtect for IoT on Android

Install GlobalProtect for IoT on Raspbian

Install GlobalProtect for IoT on Ubuntu

Install GlobalProtect for IoT on Windows

Host Information

About Host Information

What Data Does the GlobalProtect App Collect?

What Data Does the GlobalProtect App Collect on Each Operating System?

How Does the Gateway Use the Host Information to Enforce Policy?

How Do Users Know if Their Systems are Compliant?

How Do I Get Visibility into the State of the Endpoints?

Configure HIP-Based Policy Enforcement

Collect Application and Process Data From Endpoints

Redistribute HIP Reports

Block Endpoint Access

Configure Windows User-ID Agent to Collect Host Information

MDM Integration Overview

Information Collected

System Requirements

Configure GlobalProtect to Retrieve Host Information

Troubleshoot the MDM Integration Service

Certifications

Enable and Verify FIPS-CC Mode

Enable and Verify FIPS-CC Mode Using the Windows Registry

Enable and Verify FIPS-CC Mode Using the macOS Property List

FIPS-CC Security Functions

Troubleshoot FIPS-CC Mode

View and Collect GlobalProtect Logs

Resolve FIPS-CC Mode Issues

GlobalProtect Quick Configs

Remote Access VPN (Authentication Profile)

Remote Access VPN (Certificate Profile)

Remote Access VPN with Two-Factor Authentication

Always On VPN Configuration

Remote Access VPN with Pre-Logon

GlobalProtect Multiple Gateway Configuration

GlobalProtect for Internal HIP Checking and User-Based Access

Mixed Internal and External Gateway Configuration

Captive Portal and Enforce GlobalProtect for Network Access

GlobalProtect Architecture

GlobalProtect Reference Architecture Topology

GlobalProtect Portal

GlobalProtect Gateways

GlobalProtect Reference Architecture Features

End User Experience

Management and Logging in Panorama

Logging for GlobalProtect in PAN-OS

View a Graphical Display of GlobalProtect User Activity in PAN-OS

View All GlobalProtect Logs on a Dedicated Page in PAN-OS

Event Descriptions for the GlobalProtect Logs in PAN-OS

Filter GlobalProtect Logs for Gateway Latency in PAN-OS

Restrict Access to GlobalProtect Logs in PAN-OS

Forward GlobalProtect Logs to an External Service in PAN-OS

Configure Custom Reports for GlobalProtect in PAN-OS

Monitoring and High Availability

GlobalProtect Reference Architecture Configurations

Gateway Configuration

Portal Configuration

Policy Configurations

GlobalProtect Cryptography

About GlobalProtect Cipher Selection

Cipher Exchange Between the GlobalProtect App and Gateway

GlobalProtect Cryptography References

Reference: GlobalProtect App Cryptographic Functions

TLS Cipher Suites Supported by GlobalProtect Apps

Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 10 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 7 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks

Ciphers Used to Set Up IPsec Tunnels

SSL APIs

GlobalProtect Overview
Get Started
- Create Interfaces and Zones for GlobalProtect
- Enable SSL Between GlobalProtect Components
Authentication
GlobalProtect Gateways
GlobalProtect Portals
GlobalProtect Apps
- Deploy the GlobalProtect App to End Users
- Deploy App Settings Transparently
GlobalProtect Clientless VPN
Mobile Device Management
GlobalProtect for IoT Devices
Host Information
Certifications
GlobalProtect Quick Configs
GlobalProtect Architecture
GlobalProtect Cryptography

Document:GlobalProtect Administrator's Guide

Two-Factor Authentication

Last Updated:

Fri Sep 16 22:47:41 UTC 2022

Current Version:

9.1

Version 9.1

Table of Contents

Filter

GlobalProtect Overview

About the GlobalProtect Components

What OS Versions are Supported with GlobalProtect?

About GlobalProtect Licenses

Get Started

Create Interfaces and Zones for GlobalProtect

Enable SSL Between GlobalProtect Components

About GlobalProtect Certificate Deployment

GlobalProtect Certificate Best Practices

Deploy Server Certificates to the GlobalProtect Components

Authentication

About GlobalProtect User Authentication

Supported GlobalProtect Authentication Methods

Local Authentication

External Authentication

Client Certificate Authentication

Two-Factor Authentication

Multi-Factor Authentication for Non-Browser-Based Applications

Single Sign-On

How Does the App Know What Credentials to Supply?

Cookie Authentication on the Portal or Gateway

Credential Forwarding to Some or All Gateways

How Does the App Know Which Certificate to Supply?

Set Up External Authentication

Set Up LDAP Authentication

Set Up SAML Authentication

Set Up Kerberos Authentication

Set Up RADIUS or TACACS+ Authentication

Set Up Client Certificate Authentication

Deploy Shared Client Certificates for Authentication

Deploy Machine Certificates for Authentication

Deploy User-Specific Client Certificates for Authentication

Enable Certificate Selection Based on OID

Set Up Two-Factor Authentication

Enable Two-Factor Authentication Using Certificate and Authentication Profiles

Enable Two-Factor Authentication Using One-Time Passwords (OTPs)

Enable Two-Factor Authentication Using Smart Cards

Enable Two-Factor Authentication Using a Software Token Application

Set Up Authentication for strongSwan Ubuntu and CentOS Endpoints

Enable Authentication Using a Certificate Profile

Enable Authentication Using an Authentication Profile

Enable Authentication Using Two-Factor Authentication

Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications

Enable Delivery of VSAs to a RADIUS Server

Enable Group Mapping

GlobalProtect Gateways

GlobalProtect Gateways Overview

GlobalProtect Gateway Concepts

Types of Gateways

Gateway Priority in a Multiple Gateway Configuration

GlobalProtect MIB Support

Prerequisite Tasks for Configuring the GlobalProtect Gateway

Configure a GlobalProtect Gateway

Split Tunnel Traffic on GlobalProtect Gateways

Configure a Split Tunnel Based on the Access Route

Configure a Split Tunnel Based on the Domain and Application

Exclude Video Traffic from the GlobalProtect VPN Tunnel

GlobalProtect Portals

GlobalProtect Portal Overview

Prerequisite Tasks for Configuring the GlobalProtect Portal

Set Up Access to the GlobalProtect Portal

Define the GlobalProtect Client Authentication Configurations

Define the GlobalProtect Agent Configurations

Customize the GlobalProtect App

Customize the GlobalProtect Portal Login, Welcome, and Help Pages

Enforce GlobalProtect for Network Access

GlobalProtect Apps

Deploy the GlobalProtect App to End Users

Download the GlobalProtect App Software Package for Hosting on the Portal

Host App Updates on the Portal

Host App Updates on a Web Server

Test the App Installation

Download and Install the GlobalProtect Mobile App

Deploy App Settings Transparently

Customizable App Settings

App Display Options

User Behavior Options

App Behavior Options

Script Deployment Options

Deploy App Settings to Windows Endpoints

Deploy App Settings in the Windows Registry

Deploy App Settings from Msiexec

Deploy Scripts Using the Windows Registry

Deploy Scripts Using Msiexec

SSO Wrapping for Third-Party Credential Providers on Windows Endpoints

Enable SSO Wrapping for Third-Party Credentials with the Windows Registry

Enable SSO Wrapping for Third-Party Credentials with the Windows Installer

Deploy App Settings to macOS Endpoints

Deploy App Settings in the macOS Plist

Deploy Scripts Using the macOS Plist

GlobalProtect Clientless VPN

Clientless VPN Overview

Supported Technologies

Configure Clientless VPN

Troubleshoot Clientless VPN

Mobile Device Management

Mobile Device Management Overview

Set Up the MDM Integration With GlobalProtect

Qualified MDM Vendors

Manage the GlobalProtect App Using Workspace ONE

Deploy the GlobalProtect Mobile App Using Workspace ONE

Deploy the GlobalProtect App for Android on Managed Chromebooks Using Workspace ONE

Configure Workspace ONE for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using Workspace ONE

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Workspace ONE

Configure a Per-App VPN Configuration for iOS Endpoints Using Workspace ONE

Configure Workspace ONE for Windows 10 UWP Endpoints

Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure a User-Initiated Remote Access VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure a Per-App VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure Workspace ONE for Android Endpoints

Configure a Per-App VPN Configuration for Android Endpoints Using Workspace ONE

Enable App Scan Integration with WildFire

Manage the GlobalProtect App Using Microsoft Intune

Deploy the GlobalProtect Mobile App Using Microsoft Intune

Configure Microsoft Intune for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure Microsoft Intune for Windows 10 UWP Endpoints

Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Microsoft Intune

Configure a Per-App VPN Configuration for Windows 10 UWP Endpoints Using Microsoft Intune

Manage the GlobalProtect App Using MobileIron

Deploy the GlobalProtect Mobile App Using MobileIron

Configure MobileIron for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using MobileIron

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using MobileIron

Configure a Per-App VPN Configuration for iOS Endpoints Using MobileIron

Configure MobileIron for Android Endpoints

Configure an Always On VPN Configuration for Android Endpoints Using MobileIron

Manage the GlobalProtect App Using Google Admin Console

Deploy the GlobalProtect App for Android on Managed Chromebooks Using the Google Admin Console

Configure Google Admin Console for Android Endpoints

Configure an Always On VPN Configuration for Chromebooks Using the Google Admin Console

Suppress Notifications on the GlobalProtect App for macOS Endpoints

Enable Kernel Extensions in the GlobalProtect App for macOS Endpoints

Enable System Extensions in the GlobalProtect App for macOS Endpoints

Manage the GlobalProtect App Using Other Third-Party MDMs

Configure the GlobalProtect App for iOS

Example: GlobalProtect iOS App Device-Level VPN Configuration

Example: GlobalProtect iOS App App-Level VPN Configuration

Configure the GlobalProtect App for Android

Example: Set VPN Configuration

Example: Remove VPN Configuration

GlobalProtect for IoT Devices

GlobalProtect for IoT Requirements

Configure the GlobalProtect Portals and Gateways for IoT Devices

Install GlobalProtect for IoT on Android

Install GlobalProtect for IoT on Raspbian

Install GlobalProtect for IoT on Ubuntu

Install GlobalProtect for IoT on Windows

Host Information

About Host Information

What Data Does the GlobalProtect App Collect?

What Data Does the GlobalProtect App Collect on Each Operating System?

How Does the Gateway Use the Host Information to Enforce Policy?

How Do Users Know if Their Systems are Compliant?

How Do I Get Visibility into the State of the Endpoints?

Configure HIP-Based Policy Enforcement

Collect Application and Process Data From Endpoints

Redistribute HIP Reports

Block Endpoint Access

Configure Windows User-ID Agent to Collect Host Information

MDM Integration Overview

Information Collected

System Requirements

Configure GlobalProtect to Retrieve Host Information

Troubleshoot the MDM Integration Service

Certifications

Enable and Verify FIPS-CC Mode

Enable and Verify FIPS-CC Mode Using the Windows Registry

Enable and Verify FIPS-CC Mode Using the macOS Property List

FIPS-CC Security Functions

Troubleshoot FIPS-CC Mode

View and Collect GlobalProtect Logs

Resolve FIPS-CC Mode Issues

GlobalProtect Quick Configs

Remote Access VPN (Authentication Profile)

Remote Access VPN (Certificate Profile)

Remote Access VPN with Two-Factor Authentication

Always On VPN Configuration

Remote Access VPN with Pre-Logon

GlobalProtect Multiple Gateway Configuration

GlobalProtect for Internal HIP Checking and User-Based Access

Mixed Internal and External Gateway Configuration

Captive Portal and Enforce GlobalProtect for Network Access

GlobalProtect Architecture

GlobalProtect Reference Architecture Topology

GlobalProtect Portal

GlobalProtect Gateways

GlobalProtect Reference Architecture Features

End User Experience

Management and Logging in Panorama

Logging for GlobalProtect in PAN-OS

View a Graphical Display of GlobalProtect User Activity in PAN-OS

View All GlobalProtect Logs on a Dedicated Page in PAN-OS

Event Descriptions for the GlobalProtect Logs in PAN-OS

Filter GlobalProtect Logs for Gateway Latency in PAN-OS

Restrict Access to GlobalProtect Logs in PAN-OS

Forward GlobalProtect Logs to an External Service in PAN-OS

Configure Custom Reports for GlobalProtect in PAN-OS

Monitoring and High Availability

GlobalProtect Reference Architecture Configurations

Gateway Configuration

Portal Configuration

Policy Configurations

GlobalProtect Cryptography

About GlobalProtect Cipher Selection

Cipher Exchange Between the GlobalProtect App and Gateway

GlobalProtect Cryptography References

Reference: GlobalProtect App Cryptographic Functions

TLS Cipher Suites Supported by GlobalProtect Apps

Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 10 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 7 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks

Ciphers Used to Set Up IPsec Tunnels

SSL APIs

GlobalProtect Overview
Get Started
- Create Interfaces and Zones for GlobalProtect
- Enable SSL Between GlobalProtect Components
Authentication
GlobalProtect Gateways
GlobalProtect Portals
GlobalProtect Apps
- Deploy the GlobalProtect App to End Users
- Deploy App Settings Transparently
GlobalProtect Clientless VPN
Mobile Device Management