Device > Server Profiles > Multi Factor Authentication
Use this page to configure a multi-factor authentication (MFA) server profile that defines how the firewall connects to an MFA server. MFA can protect your most sensitive resources by ensuring that attackers cannot access your network and move laterally through it by compromising a single authentication factor (for example, stealing login credentials). After configuring the server profile, assign it to authentication profiles for the services that require authentication (see Device > Authentication Profile).
For the following authentication use cases, the firewall integrates with multi-factor authentication (MFA) vendors using RADIUS and SAML:
- Remote user authentication through GlobalProtect™ portals and gateways.
- Administrator authentication in the PAN-OS and Panorama™ web interface.
- Authentication through Authentication policy.
Additionally, the firewall can also integrate with MFA vendors using the API to enforce MFA through Authentication policy for end-user authentication only (not for GlobalProtect authentication or administrator authentication).
The complete procedure to configure MFA requires additional tasks besides creating a server profile.
Authentication sequences do not support authentication profiles that specify MFA server profiles.
If the firewall integrates with your MFA vendor through RADIUS, configure a RADIUS server profile (see Device > Server Profiles > RADIUS). The firewall supports all MFA vendors through RADIUS.
MFA Server Settings
Enter a name to identify the server (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
On a firewall that has more than one virtual system (vsys), select a vsys or the Shared location. After you save the profile, you cannot change its Location.
Select the Certificate Profile that specifies the certificate authority (CA) certificate that the firewall will use to validate the MFA server certificate when setting up a secure connection to the server. For details, see Device > Certificate Management > Certificate Profile.
MFA Vendor / Value
Select an MFA vendor MFA Vendor and enter a Value for each vendor attribute. The attributes vary by vendor. Refer to your vendor documentation for the correct values.
Configure MFA Between RSA SecurID and the Firewall
Configure MFA Between RSA SecurID and the Firewall Multi-factor authentication allows you to protect company assets by using multiple factors to verify a user’s identity ...
Configure Multi-Factor Authentication
Configure Multi-Factor Authentication To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for ...
Authentication Timestamps When configuring an Authentication policy rule, you can specify a timeout period during which a user authenticates only for initial access to services ...
Multi-Factor Authentication You can Configure Multi-Factor Authentication (MFA) to ensure that each user authenticates using multiple methods (factors) when accessing highly sensitive services and applications. ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
Configure RADIUS Authentication
Configure RADIUS Authentication You can configure RADIUS authentication for end users and firewall or Panorama administrators. For administrators, you can use RADIUS to manage authorization ...
Device > Server Profiles > RADIUS
Device > Server Profiles > RADIUS Select Device Server Profiles RADIUS or Panorama Server Profiles RADIUS to configure settings for the Remote Authentication Dial-In User ...
Authentication Authentication is a method for protecting services and applications by verifying the identities of users so that only legitimate users have access. Several firewall ...
Global Services Settings
Global Services Settings To control and redirect DNS queries between shared and specific virtual systems, you can use a DNS proxy and a DNS Server ...