Building Blocks of an Authentication Policy Rule
Whenever a user requests a resource (such as when visiting a web page), the firewall evaluates Authentication policy. Based on the matching policy rule, the firewall then prompts the user to respond to one or more challenges of different factors (types), such as login and password, voice, SMS, push, or one-time password (OTP) authentication. After the user responds to all the factors, the firewall evaluates Security policy (see Policies > Security) to determine whether to allow access to the resource.
The firewall does not prompt users to authenticate if they access non-web-based resources (such as a printer) through a GlobalProtect™ gateway that is internal or in tunnel mode. Instead, the users will see connection failure messages. To ensure users can access these resources, set up an authentication portal and train users to visit it when they see connection failures. Consult your IT department to set up an authentication portal.
The following table describes each building block or component in an Authentication policy rule. Before you Add a rule, complete the prerequisites described in Create and Manage Authentication Policy.
Building Blocks in an Authentication Rule
Each rule is automatically numbered and the order changes as rules are moved. When you filter rules to match specific filters, the PoliciesAuthentication page lists each rule with its number in the context of the complete set of rules in the rulebase and its place in the evaluation order. For details, see rule sequence and its evaluation order .
Enter a name to identify the rule. The name is case-sensitive and can have up to 31 characters, which can be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on Panorama, unique within its device group and any ancestor or descendant device groups.
Enter a description for the rule (up to 255 characters).
Select a tag for sorting and filtering rules (see Objects > Tags).
Add zones to apply the rule only to traffic coming from interfaces in the zones that you specify (default is any).
To define new zones, see Network > Zones.
Add addresses or address groups to apply the rule only to traffic originating from the sources that you specify (default is any).
Select Negate to choose any address except the selected ones.
Select the source users or user groups to which the rule applies:
If the firewall collects user information from a RADIUS, TACACS+, or SAML identity provider server and not from the User-ID™ agent, the list of users does not display; you must enter user information manually.
Source HIP Profile
Add host information profiles (HIP) to identify users. A HIP enables you to collect information about the security status of your end hosts, such as whether they have the latest security patches and antivirus definitions. For details and to define new HIPs, see Objects > GlobalProtect > HIP Profiles.
Add zones to apply the rule only to traffic going to interfaces in the zones that you specify (default is any). To define new zones, see Network > Zones.
Add addresses or address groups to apply the rule only to the destinations that you specify (default is any).
Select Negate to choose any address except the selected ones.
Select from the following options to apply the rule only to services on specific TCP and UDP port numbers:
Select the URL categories to which the rule applies:
Select the authentication enforcement object (Objects > Authentication) that specifies the method (such as Captive Portal or browser challenge) and authentication profile that the firewall uses to authenticate users. The authentication profile defines whether users respond to a single challenge or to multi-factor authentication (see Device > Authentication Profile). You can select a predefined or custom authentication enforcement object.
To reduce the frequency of authentication challenges that interrupt the user workflow, you can specify the interval in minutes (default is 60) when the firewall prompts the user to authenticate only once for repeated access to resources.
If the Authentication Enforcement object specifies multi-factor authentication, the user must authenticate once for each factor. The firewall records a timestamp and reissues a challenge only when the timeout for a factor expires. Redistributing the timestamps to other firewalls enables you to apply the timeout even if the firewall that initially allows access for a user is not the same firewall that later controls access for that user.
Log Authentication Timeouts
Select this option (disabled by default) if you want the firewall to generate Authentication logs whenever the Timeout associated with an authentication factor expires. Enabling this option provides more data to troubleshoot access issues. In conjunction with correlation objects, you can also use Authentication logs to identify suspicious activity on your network (such as brute force attacks).
Enabling this option increases log traffic.
Configure Authentication Policy
Configure Authentication Policy Perform the following steps to configure Authentication policy for end users who access services through Captive Portal. Before starting, ensure that your ...
Configure Multi-Factor Authentication
Configure Multi-Factor Authentication To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for ...
Objects > Authentication
Objects > Authentication An authentication enforcement object specifies the method and service to use for authenticating end users who access your network resources. You assign ...
Authentication Policy and Multi-Factor Authentication
Authentication Policy and Multi-Factor Authentication To protect services and applications from attackers, you can use the new Authentication policy to control access for end users. ...
Building Blocks in a Security Policy Rule
Building Blocks in a Security Policy Rule The following section describes each component in a security policy rule . When you view the default security ...
Create User-to-Data-Center Authentication Policy Rules
Authenticate users to prevent unauthorized access to data and resources in the data center, including using multi-factor authentication for access to sensitive systems and data. ...
Decryption Source Tab
Decryption Source Tab Select the Source tab to define the source zone or source address that defines the incoming source traffic to which the decryption ...
Policy Based Forwarding Source Tab
Policy Based Forwarding Source Tab Select the Source tab to define the source zone or source address that defines the incoming source traffic to which ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...