Authentication Policy and Multi-Factor Authentication for GlobalProtect
You can now leverage the new Authentication Features within GlobalProtect to support access to non-browser-based applications that require multi-factor authentication. On Windows and Mac endpoints, GlobalProtect can now notify and prompt the user to perform the timely, multi-factor authentication needed to access sensitive network resources.
A GlobalProtect client is a requirement for multi-factor authentication on non-browser applications. For browser-based applications that require multi-factor authentication, users are automatically presented with Authentication Portal page (previously called the Captive Portal page). For non-browser applications, if a session matches an Authentication policy rule, then the firewall will send a UDP notification to the GlobalProtect client with an embedded URL link to the Authentication Portal page. GlobalProtect displays this message as a pop up notification to the user.
You can customize the message that GlobalProtect users see when prompted to authenticate. Clicking this link sends the user to the Authentication Portal page where they can start the multi-factor authentication process (the same as with browser-based HTTP applications).
- Before you configure GlobalProtect, configure
multi-factor authentication on the firewall.To use multi-factor authentication for protecting sensitive resources, the easiest solution is to integrate the firewall with an MFA vendor that is already established in your network. When your MFA structure is ready, you can start configuring the components of your authentication policy. For more information, refer to Configure Multi-Factor Authentication.
- Enable Captive Portal to record authentication timestamps and update user mappings.
- Create server profiles that define how the firewall will connect to the services that authenticate users.
- If you are using two-factor authentication with GlobalProtect to authenticate to the gateway or portal, a RADIUS server profile is required. If you are using GlobalProtect to notify the user about an authentication policy match (UDP message), a Multi Factor Authentication server profile is sufficient.
- Assign the server profiles to an Authentication profile which specifies authentication parameters.
- Configure a Security policy rule that allows users to access the resources that require authentication.
- For GlobalProtect to support multi-factor authentication on external gateways, you must configure a response page on the tunnel interface. Refer to Authentication Policy and Multi-Factor Authentication for more information on how to configure an MFA Login response page.
- Configure GlobalProtect clients to display multi-factor authentication notifications for non-browser-based applications on Windows and Mac endpoints. In an App configuration, configure the following
- Enable Inbound Authentication Prompts from MFA Gateways to Yes. To support multi-factor authentication (MFA), a GlobalProtect client must receive and acknowledge UDP prompts that are inbound from the gateway. Select Yes to enable a GlobalProtect client to receive and acknowledge the prompt. By default, the value is set to No meaning GlobalProtect will block UDP prompts from the gateway.
- Specify the Network Port for Inbound Authentication Prompts (UDP) a GlobalProtect client uses to receive inbound authentication prompts from MFA gateways. The default port is 4501. To change the port, specify a number from 1 to 65535.
- Specify the list of Trusted MFA Gateways a GlobalProtect client will trust for multi-factor authentication. When a GlobalProtect client receives a UDP message on the specified network port, GlobalProtect displays an authentication message only if the UDP prompt comes from a trusted gateway.
- Configure the Inbound Authentication Message. GlobalProtect automatically appends the URL of the Authentication Portal page you configured in the first step to the message.
- Save the agent configuration (click OK twice), and then Commit your changes.
Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications
Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications To protect critical applications and stop attackers from using stolen credentials to conduct lateral movement throughout your network, ...
Multi-Factor Authentication You can Configure Multi-Factor Authentication (MFA) to ensure that each user authenticates using multiple methods (factors) when accessing highly sensitive services and applications. ...
Authentication Policy and Multi-Factor Authentication
Authentication Policy and Multi-Factor Authentication To protect services and applications from attackers, you can use the new Authentication policy to control access for end users. ...
Configure Multi-Factor Authentication
Configure Multi-Factor Authentication To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for ...
Device > User Identification > Captive Portal Settings
Device > User Identification > Captive Portal Settings Edit ( ) the Captive Portal Settings to configure the firewall to authenticate users whose traffic matches ...
Multi-Factor Authentication for Non-Browser-Based Applications
Multi-Factor Authentication for Non-Browser-Based Applications ( Windows and Mac only ) For sensitive, non-browser-based network resources (for example, financial applications or software development applications) that ...
Configure Authentication Policy
Configure Authentication Policy Perform the following steps to configure Authentication policy for end users who access services through Captive Portal. Before starting, ensure that your ...
Customize the GlobalProtect Agent
Customize the GlobalProtect Agent The portal agent configuration allows you to customize how your end users interact with the GlobalProtect agents installed on their systems ...
Objects > Authentication
Objects > Authentication An authentication enforcement object specifies the method and service to use for authenticating end users who access your network resources. You assign ...