New Authentication Features
SAML 2.0 Authentication
The firewall and Panorama™ can now function as Security Assertion Markup Language (SAML) 2.0 service providers to enable single sign-on (SSO) and single logout for end users (see SAML 2.0 Authentication for GlobalProtect) and for administrators. SAML enhances the user experience by enabling a single, interactive login to provide automatic access to multiple authenticated services that are internal or external to your organization.
In addition to authenticating administrator accounts that are local to the firewall and Panorama, you can use SAML to authenticate and assign roles to external administrator accounts in the identity provider (IdP) identity store.
Authentication Policy and Multi-Factor Authentication
To protect your network resources from attackers, you can use the new Authentication policy to ensure all your end users authenticate when they access those resources. Authentication policy is an improved replacement for Captive Portal policy, which enforced authentication only for some users. Authentication policy has the additional benefit of enabling you to choose how many authentication challenges of different types (factors) users must respond to. Using multiple factors of authentication (MFA) is particularly useful for protecting your most sensitive resources. For example, you can force users to enter a login password and then enter a verification code that they receive by phone. This approach ensures attackers can’t invade your network and move laterally through it just by stealing passwords. If you want to spare users the hassle of responding to multiple challenges for resources that don’t need such a high degree of protection, you can also have Authentication policy rules that enforce only password or certificate authentication.
The firewall makes it easy to implement MFA in your network by integrating directly with several MFA platforms (Duo v2, Okta Adaptive, and PingID) and integrating through RADIUS with all other MFA platforms.
TACACS+ User Account Management
To use a Terminal Access Controller Access-Control System Plus (TACACS+) server for centrally managing all administrative accounts, you can now use Vendor-Specific Attributes (VSAs) to manage the accounts of firewall and Panorama administrators. TACACS+ VSAs enable you to quickly reassign administrator roles and access domains without reconfiguring settings on the firewall and Panorama.
Authentication Using Custom Certificates
You can now deploy custom certificates to replace the predefined certificates shipped on Palo Alto Networks® firewalls and appliances for management connections between Panorama, firewalls, and Log Collectors. By generating and deploying unique certificates for each device, you can establish a unique chain of trust between Panorama and the managed devices. You can generate these custom certificates locally or import them from an existing enterprise public key infrastructure (PKI). Panorama can manage devices in environments with a mix of predefined and custom certificates.
You can also deploy custom certificates for mutual authentication between the firewall and Windows User-ID™ Agent. This allows the firewall to confirm the Windows User-ID Agent's identity before accepting User-ID information from the agent. Deploy a custom certificate on the Windows User-ID Agent and a certificate profile on the firewall, containing the CA of the certificate, to establish a unique trust chain between the two devices.
Authentication for External Dynamic Lists
The firewall now validates the digital certificates of SSL/TLS servers that host external dynamic lists, and, if the servers enforce basic HTTP username/password authentication (client authentication), the firewall can forward login credentials to gain access to the lists. If an external dynamic list source fails server or client authentication, the firewall does not retrieve the list and ceases to enforce policy based on its contents. These security enhancements help ensure that the firewall retrieves IP addresses, domains, or URLs from a valid source over a secure, private channel.
Authentication Features SAML 2.0 Authentication Authentication Policy and Multi-Factor Authentication TACACS+ User Account Management Authentication Using Custom Certificates Authentication for External Dynamic Lists ...
SAML 2.0 Authentication
SAML 2.0 Authentication You can now use Security Assertion Markup Language ( SAML ) 2.0 to authenticate administrators who access the firewall or Panorama web ...
Set Up SAML Authentication
Set Up SAML Authentication Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
Plan Your Authentication Deployment
Plan Your Authentication Deployment The following are key questions to consider before you implement an authentication solution for administrators who access the firewall and end ...
External Authentication Services
External Authentication Services The firewall and Panorama can use external servers to control administrative access to the web interface and end user access to services ...
SAML 2.0 Authentication for GlobalProtect
SAML 2.0 Authentication for GlobalProtect GlobalProtect portals, gateways, and clients now support SAML 2.0 Authentication . If you have chosen SAML as your authentication standard, ...
Authentication Authentication is a method for protecting services and applications by verifying the identities of users so that only legitimate users have access. Several firewall ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...