Configure Multiple Portals in Prisma Access
Table of Contents
Configure Multiple Portals in Prisma Access
You can configure two portals based on port numbers in the same Prisma Access tenant, with each
portal supporting a different authentication method. Enable this feature to migrate
mobile users from one authentication method to another without creating a new Prisma
Access tenant. This feature depends on the authentication
override cookie settings, and are enabled for both portals and on gateways.
When configuring multiple GlobalProtect portals with Traffic Steering, do not
configure
Accept Default Routes over Service Connections
(); if you do, mobile users cannot connect to the secondary
portal.- Contact your Palo Alto Networks account team to activate this functionality.
- Configure a mobile user and the authentication method for it.The minimum required version of the GlobalProtect Client version is 6.1.
- Select .
- Enable Multiple Portal for Multiple Authentication Methods.
The new portal appears for the 8443 port for the same tenant. This portal inherits the configuration settings from the original port, which is port 443.
- Edit the portal configurations to update the authentication settings.
- Click the portal hyperlink or select and click the portal hyperlink.
- In theAuthenticationsection,AddaClient Authenticationwith a differentAuthentication Profile.
You can edit only theClient AuthenticationandCertificate Profileauthentication settings.If you use certificate-based authentication in both portals, ensure that the gateway doesn't have certificate-based authentication.This feature enables the authentication override settings to generate cookie for both portals in the GlobalProtect app settings.
This feature enables the authentication override settings to generate and accept cookie for both portals in the tunnel settings.
- Commit all your changes to Panorama and push the configuration changes to Prisma Access.
- Click .
- Edit Selectionsand, in thePrisma Accesstab, make sure thatMobile Usersis selected in thePush Scope, then clickOK.
- ClickCommit and Push.
- Add the portals manually or using endpoint management software in the GlobalProtect app.
- Verify if you can connect to both portals with different authentication profiles for the gateway.
- Log in to your Windows machine.
- Connect to the portals in your GlobalProtect app.When you change the connection between portals of different authentication methods, authenticate the user login.
If the authentication cookie expires when you connect to the 8443 portal and switch to the manual gateway, GlobalProtect connects to theBest Available Gateway.If your GlobalProtect app uses cached portal configurations, fallback to portal does not work. - View logs for both portals in to see the portal and authentication information.
If you're using SAML-based authentication for the
secondary portal, enter the values as follows while integrating:
- Single sign on URL: Enterhttps://Portal-FQDN:443/SAML20/SP/ACSPortal-FQDNis the FQDN for the Prisma Access portalUse portal443even if you have configured the secondary portal (8443).
- Audience URI (SP Entity ID): Enterhttps://Portal-FQDN:443/SAML20/SP