You can Configure
Multi-Factor Authentication (MFA) to ensure that each user
authenticates using multiple methods (factors) when accessing highly
sensitive services and applications. For example, you can force
users to enter a login password and then enter a verification code
that they receive by phone before allowing access to important financial
documents. This approach helps to prevent attackers from accessing
every service and application in your network just by stealing passwords.
Of course, not every service and application requires the same degree
of protection, and MFA might not be necessary for less sensitive
services and applications that users access frequently. To accommodate
a variety of security needs, you can Configure
Authentication Policy rules that trigger MFA or a single
authentication factor (such as login credentials or certificates)
based on specific services, applications, and end users.
When choosing how many and which types of authentication factors to enforce, it’s important to
understand how policy evaluation affects the user experience. When a user requests a
service or application, the firewall first evaluates Authentication policy. If the
request matches an Authentication policy rule with MFA enabled, the firewall displays a
Authentication Portal web form so that users can authenticate for the first factor. If
authentication succeeds, the firewall displays an MFA login page for each additional
factor. Some MFA services prompt the user to choose one factor out of two to four, which
is useful when some factors are unavailable. If authentication succeeds for all factors,
the firewall evaluates Security policy for the requested service or
application.
To reduce the frequency of authentication challenges that
interrupt the user workflow, configure the first factor to use Kerberos or SAML single sign-on
(SSO) authentication.
To implement MFA for GlobalProtect, refer to Configure GlobalProtect to facilitate multi-factor
authentication notifications.
You cannot use MFA authentication
profiles in authentication sequences.
For end-user authentication via Authentication
Policy, the firewall directly integrates with several MFA platforms (Duo v2,
Okta Adaptive, PingID, and RSA SecurID), as well as integrating through
RADIUS or SAML for all other MFA platforms. For remote user authentication to
GlobalProtect portals and gateways and for administrator authentication to the Panorama
and PAN-OS web interface, the firewall integrates with MFA vendors using RADIUS and SAML
only.
The firewall supports the following MFA factors:
Factor
Description
Push
An endpoint device (such as a phone or tablet)
prompts the user to allow or deny authentication.
Short message service (SMS)
An SMS message on the endpoint device prompts
the user to allow or deny authentication. In some cases, the endpoint
device provides a code that the user must enter in the MFA login
page.
Voice
An automated phone call prompts the user
to authenticate by pressing a key on the phone or entering a code
in the MFA login page.
One-time password (OTP)
An endpoint device provides an automatically
generated alphanumeric string, which the user enters in the MFA
login page to enable authentication for a single transaction or
session.
