Device > User Identification > Authentication Portal
Edit ( ) the Authentication Portal Settings to configure the firewall to authenticate users whose traffic matches an Authentication policy rule.
If Authentication Portal uses an SSL/TLS Service profile (Device > Certificate Management > SSL/TLS Service Profile), authentication profile (Device > Authentication Profile), or Certificate Profile (Device > Certificate Management > Certificate Profile), then configure the profile before you begin. The complete procedure to configure Authentication Portal requires additional tasks in addition to configuring these profiles.
Enable Authentication Portalto enforce Authentication policy (see Policies > Authentication).
Enable Authentication Portal
Select this option to enable Authentication Portal.
Idle Timer (min)
Enter the user time-to-live (TTL) value in minutes for a Authentication Portal session (range is 1 to 1,440; default is 15). This timer resets every time there is activity from an Authentication Portal user. If idle time for a user exceeds the
Idle Timervalue, PAN-OS removes the Authentication Portal user mapping and the user must log in again.
This is the maximum TTL in minutes, which is the maximum time that any Authentication Portal session can remain mapped (range is 1 to 1,440; default is 60). After this duration elapses, PAN-OS removes the mapping and users must re-authenticate even if the session is active. This timer prevents stale mappings and overrides the
You should always set the expiration
Timerhigher than the
SSL/TLS Service Profile
To specify a firewall server certificate and the allowed protocols for securing redirect requests, select an SSL/TLS service profile (Device > Certificate Management > SSL/TLS Service Profile). If you select
None, the firewall uses its local default certificate for SSL/TLS connections.
In the SSL/TLS Service Profile, set the
TLSv1.2and set the
Maxto provide the strongest security against SSL/TLS protocol vulnerabilities. Setting the
Maxensures that as stronger protocols become available, the firewall always uses the latest version.
To transparently redirect users without displaying certificate errors, assign a profile associated with a certificate that matches the IP address of the interface to which you are redirecting web requests.
You can select an authentication profile (Device > Authentication Profile) to authenticate users when their traffic matches an Authentication policy rule (Policies > Authentication). However, the authentication profile you select in the Authentication Portal Settings applies only to rules that reference one of the default authentication enforcement objects (Objects > Authentication). This is typically the case right after an upgrade to PAN-OS 8.0 because all Authentication rules initially reference the default objects. For rules that reference custom authentication enforcement objects, select the authentication profile when you create the object.
GlobalProtect Network Port for Inbound Authentication Prompts (UDP)
Specify the port that GlobalProtect™ uses to receive inbound authentication prompts from multi-factor (MFA) gateways. (range is 1 to 65,536; default is 4,501). To support multi-factor authentication, a GlobalProtect endpoint must receive and acknowledge UDP prompts that are inbound from the MFA gateway. When a GlobalProtect endpoint receives a UDP message on the specified network port and the UDP message comes from a trusted firewall or gateway, GlobalProtect displays the authentication message (seeCustomize the GlobalProtect App ).
Select how the firewall captures web requests for authentication:
Redirectmode is required if Authentication Portal uses Kerberos SSO because the browser provides credentials only to trusted sites.
Redirectmode is also required if Authentication Portal uses multi-factor authentication (MFA).
Redirect mode only)
Redirect mode only)
Specify the intranet hostname that resolves to the IP address of the Layer 3 interface to which the firewall redirects web requests.
You can select a Certificate Profile (Device > Certificate Management > Certificate Profile) to authenticate users when their traffic matches any Authentication policy rule (Policies > Authentication).
For this authentication type, Authentication Portal prompts the endpoint browser of the user to present a client certificate. Therefore, you must deploy client certificates to each user system. Furthermore, on the firewall, you must install the certificate authority (CA) certificate that issued the client certificates and assign the CA certificate to the Certificate Profile. This is the only authentication method that enables
Transparentauthentication for macOS and Linux endpoints.
Recommended For You
Recommended videos not found.