Check for any license or role requirements for the products you're
license or AIOps for NGFW license
An authentication enforcement object specifies the method and
service to use for authenticating end users who access your network
resources. You assign the object to Authentication policy rules,
which invoke the authentication method and service when traffic
matches a rule.
The following are the predefined, read-only authentication enforcement
user authentication credentials are transparently obtained. If you
select this action, you must enable Kerberos Single Sign-On (SSO)
or NT LAN Manager (NTLM) authentication when you configure the Authentication
Portal. If Kerberos SSO authentication fails, the falls back is
the NTLM authentication. If you did not configure NTLM, or NTLM
authentication fails, then the fall back is to the authentication
method specified in the predefined default-web-form object.
—To authenticate users,
the certificate profile or authentication profile you specified
when configuring the Authentication Portal is used. If you specified
an authentication profile, any Kerberos SSO settings in the profile
is used and an Authentication Portal page is presented for the user
to enter authentication credentials.
policy is authenticated without authenticating users.
Before creating a custom authentication enforcement object:
Configure a server profile that
specifies how to connect to the authentication service.
Assign the server profile to an authentication profile that
specifies authentication settings such as Kerberos single sign-on
To configure authentication, go to:
on Cloud Managed deployments.
on PAN-OS and Panorama Managed deployments.
A custom authentication enforcement object, consists of the following
Enter a descriptive name (up to 31 characters)
to help you identify the object when defining Authentication rules.
The name is case-sensitive and must be unique. Use only letters,
numbers, spaces, hyphens, and underscores.
Select this option if you want the object
to be available to:
Every virtual system (vsys) on
a multi-vsys. If you clear this selection, the object will be available
only to the
selected in the
Every device group on Panorama. If you clear this selection,
the object will be available only to the
Disable override (
Select this option to prevent administrators
from overriding the settings of this authentication enforcement
object in device groups that inherit the object. This selection
is cleared by default, which means administrators can override the
settings for any device group that inherits the object.
Select a method:
user authentication credentials is transparently obtained. If you
select this action, the
select must have Kerberos SSO enabled.
—To authenticate users, the
certificate profile you specified when configuring the Authentication
portal or the
select in the authentication enforcement object is used. If you
, any Kerberos
SSO settings in the profile is ignored and an Authentication Portal
page for the user to enter authentication credentials is presented.
—The Security policy
is evaluated without authenticating users.
Select the authentication profile that specifies
the service to use for validating the identities of users.
Enter instructions that tell users how to
respond to the first authentication challenge that they see when
their traffic triggers the Authentication rule. The message displays
Authentication Portal Comfort Page
If you don’t enter a message, the default
Portal Comfort Page
Portal Comfort Page
is displayed only for the first
authentication challenge (factor), which you define in the
of the Authentication profile. For multi-factor authentication (MFA)
challenges that you define in the