Overview

When a user requests a service or application, such as by visiting a web page, the firewall evaluates the authentication policy. Based on the matching authentication policy rule, the firewall then prompts the user to authenticate using one or more methods (factors). After the user authenticates for all factors, the firewall evaluates the Security Policy to determine whether to allow access to the service or application. To use multi-factor authentication (MFA) for protecting sensitive services and applications, you must configure an authentication policy to display a web form for the first authentication factor. For more information, see Multi-Factor Authentication.

To facilitate MFA notifications for client-server applications (such as Perforce) on Windows or macOS endpoints, a VPN tunnel established through the GlobalProtect Client is required. When a session matches an authentication policy rule, the firewall sends a UDP notification to the GlobalProtect Client with an embedded URL link to the authentication portal page. The GlobalProtect Client then displays this message as a popup notification to the user.


A flowchart showing a typical MFA authentication using Palo Alto NGFW.

Processing steps

Users generate traffic to a service or application, which triggers the authentication process as shown in the following figure. A user wishes to access a service or application protected by an authentication policy. The authentication portal located on NGFW requires a username and password.

  1. The user's credentials are validated against LDAP or another authentication server type.
  2. After the user submits credentials, the authentication server sends additional user data with its successful authentication message back to the authentication portal.
  3. The authentication portal initiates MFA through PingID.
    A screen capture of the Palo Alto authentication portal.

    A screen capture of a GlobalProtect alert that notifies the user that additional information is required. The message says, "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate: https://mfa.acme.local:6081/php/uid.php?vsys-1&rule=0."
    Note:

    You can achieve the same workflow for client-server applications also. For more information, see Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications.

    The following configuration steps only describe authentication for a browser-based application using the authentication portal.

  4. PingID pushes an authentication request to the user's selected authentication method, such as mobile phone, email, or desktop application.
  5. The user completes the authentication request.
  6. PingID sends the authentication result to the authentication portal.
  7. The authentication portal allows access to requested service
Note:

In what follows, NGFW stands for New Generation Firewall

The following topics show how to secure an authentication portal sign-on with PingID. The example will add an LDAP and MFA authentication profile.