You can Configure Multi-Factor Authentication (MFA) to ensure that each user authenticates using multiple methods (factors) when accessing highly sensitive services and applications. For example, you can force users to enter a login password and then enter a verification code that they receive by phone before allowing access to important financial documents. This approach helps to prevent attackers from accessing every service and application in your network just by stealing passwords. Of course, not every service and application requires the same degree of protection, and MFA might not be necessary for less sensitive services and applications that users access frequently. To accommodate a variety of security needs, you can Configure Authentication Policy rules that trigger MFA or a single authentication factor (such as login credentials or certificates) based on specific services, applications, and end users.
When choosing how many and which types of authentication factors to enforce, it’s important to understand how policy evaluation affects the user experience. When a user requests a service or application, the firewall first evaluates Authentication policy. If the request matches an Authentication policy rule with MFA enabled, the firewall displays a Captive Portal web form so that users can authenticate for the first factor. If authentication succeeds, the firewall displays an MFA login page for each additional factor. Some MFA services prompt the user to choose one factor out of two to four, which is useful when some factors are unavailable. If authentication succeeds for all factors, the firewall evaluates Security policy for the requested service or application.
To reduce the frequency of authentication challenges that interrupt the user workflow, you can configure the first factor to use Kerberos or SAML single sign-on (SSO) but not NT LAN Manager (NTLM) authentication.
To implement MFA for GlobalProtect, refer to Configure GlobalProtect to facilitate multi-factor authentication notifications.
You cannot use MFA authentication profiles in authentication sequences.
The firewall makes it easy to implement MFA in your network by integrating directly with several MFA platforms (Duo v2, Okta Adaptive, PingID, and Okta Adaptive) and integrating through RADIUS with all other MFA platforms.
For end-user authentication via Authentication Policy, the firewall directly integrates with several MFA platforms (Duo v2, Okta Adaptive, PingID, and RSA SecurID), as well as integrating through RADIUS or SAML for all other MFA platforms. For remote user authentication to GlobalProtect portals and gateways and for administrator authentication to the Panorama and PAN-OS web interface, the firewall integrates with MFA vendors using RADIUS and SAML only.
The firewall supports the following MFA factors:
An endpoint device (such as a phone or tablet) prompts the user to allow or deny authentication.
Short message service (SMS)
An SMS message on the endpoint device prompts the user to allow or deny authentication. In some cases, the endpoint device provides a code that the user must enter in the MFA login page.
An automated phone call prompts the user to authenticate by pressing a key on the phone or entering a code in the MFA login page.
One-time password (OTP)
An endpoint device provides an automatically generated alphanumeric string, which the user enters in the MFA login page to enable authentication for a single transaction or session.
Configure Multi-Factor Authentication
Configure Multi-Factor Authentication To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for ...
Device > Server Profiles > Multi Factor Authentication
Device > Server Profiles > Multi Factor Authentication Use this page to configure a multi-factor authentication (MFA) server profile that defines how the firewall connects ...
Configure an Authentication Profile and Sequence
Configure an Authentication Profile and Sequence An authentication profile defines the authentication service that validates the login credentials of administrators who access the firewall web ...
Configure Local or External Authentication for Firewall Adm...
Configure Local or External Authentication for Firewall Administrators You can use Local Authentication and External Authentication Services to authenticate administrators who access the firewall. These ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
Plan Your Authentication Deployment
Plan Your Authentication Deployment The following are key questions to consider before you implement an authentication solution for administrators who access the firewall and end ...
Configure GlobalProtect to Facilitate Multi-Factor Authenti...
Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications To protect critical applications and stop attackers from using stolen credentials to conduct lateral movement throughout your network, ...
Authentication Timestamps When configuring an Authentication policy rule, you can specify a timeout period during which a user authenticates only for initial access to services ...
Configure RADIUS Authentication for Panorama Administrators
Configure RADIUS Authentication for Panorama Administrators You can use a RADIUS server to authenticate administrative access to the Panorama web interface. You can also define ...