You can Configure
Multi-Factor Authentication (MFA) to ensure that each user
authenticates using multiple methods (factors) when accessing highly
sensitive services and applications. For example, you can force
users to enter a login password and then enter a verification code
that they receive by phone before allowing access to important financial
documents. This approach helps to prevent attackers from accessing every
service and application in your network just by stealing passwords.
Of course, not every service and application requires the same degree
of protection, and MFA might not be necessary for less sensitive
services and applications that users access frequently. To accommodate
a variety of security needs, you can Configure
Authentication Policy rules that trigger MFA or a single
authentication factor (such as login credentials or certificates)
based on specific services, applications, and end users.
When choosing how many and which types of authentication factors
to enforce, it’s important to understand how policy evaluation affects
the user experience. When a user requests a service or application,
the firewall first evaluates Authentication policy. If the request
matches an Authentication policy rule with MFA enabled, the firewall
displays a Captive Portal web form so that users can authenticate
for the first factor. If authentication succeeds, the firewall displays
an MFA login page for each additional factor. Some MFA services
prompt the user to choose one factor out of two to four, which is
useful when some factors are unavailable. If authentication succeeds
for all factors, the firewall evaluates Security policy for the requested service
or application.
To reduce the frequency of authentication challenges that
interrupt the user workflow, you can configure the first factor
to use Kerberos or SAML single sign-on
(SSO) but not NT
LAN Manager (NTLM) authentication.
To implement MFA
for GlobalProtect, refer to Configure GlobalProtect to facilitate multi-factor
authentication notifications.
You cannot use MFA authentication
profiles in authentication sequences.
For end-user authentication via Authentication
Policy, the firewall directly integrates with several MFA platforms
(Duo v2, Okta Adaptive,
PingID, and RSA SecurID), as well as integrating through
RADIUS or SAML for all other MFA platforms. For remote user authentication
to GlobalProtect portals and gateways and for administrator authentication
to the Panorama and PAN-OS web interface, the firewall integrates
with MFA vendors using RADIUS and SAML only.
The firewall supports the following MFA factors:
Factor
Description
Push
An endpoint device (such as a phone or tablet)
prompts the user to allow or deny authentication.
Short message service (SMS)
An SMS message on the endpoint device prompts
the user to allow or deny authentication. In some cases, the endpoint
device provides a code that the user must enter in the MFA login
page.
Voice
An automated phone call prompts the user
to authenticate by pressing a key on the phone or entering a code
in the MFA login page.
One-time password (OTP)
An endpoint device provides an automatically
generated alphanumeric string, which the user enters in the MFA
login page to enable authentication for a single transaction or
session.
